Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Hijacks- Surfsidekick3 Drsmartload Etc


  • Please log in to reply
15 replies to this topic

#1 geopilot

geopilot

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 24 June 2006 - 09:57 AM

Hi, Was wondering if anyone had time to look at a HijackThis log- my computer has multiple adware/hijackers including SurfSidekick3 & drsmartloader. I followed the SurfSidekick tutorial and did not find the entries listed. Manually uninstalled from control panel- but suspect it and others are still there. Ad-Aware is the only other tool I've used and it fails to remove a bunch of things.
Thanks for any tips on this one- Dave
----------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:38:29 AM, on 6/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Linksys\Bluetooth Utility\bin\btwdins.exe
C:\WINDOWS\SmVhbm5l\command.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\wdfmgr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Linksys\Bluetooth Utility\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKCU\..\Run: [uwri] C:\PROGRA~1\COMMON~1\uwri\uwrim.exe
O4 - HKCU\..\Run: [PECarlin] "C:\Program Files\PECarlin\PECarlin.exe"
O4 - HKCU\..\Run: [nfkao] C:\WINDOWS\system32\rqyhnx.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AXVenore] "C:\Program Files\AXVenore\AXVenore.exe"
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\owinsqez.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\Linksys\Bluetooth Utility\BTTray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Linksys\Bluetooth Utility\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Linksys\Bluetooth Utility\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O20 - AppInit_DLLs: Runner.dll
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\g2040cdqef0e0.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Linksys\Bluetooth Utility\bin\btwdins.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmVhbm5l\command.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Net Logon Service (NetLgn) - Unknown owner - C:\WINDOWS\wdfmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\jouofeo.exe (file missing)
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:11 AM

Posted 28 June 2006 - 06:10 AM

Hey geopilot,

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, copy and paste next in the field:

C:\WINDOWS\wdfmgr.exe

Then click the Send File button below.

I will get back to you as soon as I have analyed the file,
David

#3 geopilot

geopilot
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 30 June 2006 - 05:42 AM

Thanks for the reply. I have submitted the file requested. I also ran ewido in safe mode since the original post and removed what it found. Here is the latest HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 6:39:44 AM, on 6/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Linksys\Bluetooth Utility\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Linksys\Bluetooth Utility\bin\btwdins.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\macromed\flash\GetFlash.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: BTTray.lnk = C:\Program Files\Linksys\Bluetooth Utility\BTTray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Linksys\Bluetooth Utility\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Linksys\Bluetooth Utility\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Linksys\Bluetooth Utility\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O20 - AppInit_DLLs: Runner.dll
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\dn8s01l7e.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Linksys\Bluetooth Utility\bin\btwdins.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Net Logon Service (NetLgn) - Unknown owner - C:\WINDOWS\wdfmgr.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\jouofeo.exe (file missing)
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:11 AM

Posted 30 June 2006 - 06:32 AM

Hello there,

It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above. It is important that you complete the following instructions in the correct order, and also that you don't miss anything out!

* Please set your system to show hidden files; please see here if you're unsure how to do this.

* Click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

Windows Overlay Components
Network Monitor
Command Service


Open notepad and copy and paste next in it:

sc stop "Network Monitor"
sc delete "Network Monitor"
sc stop NetLgn
sc delete NetLgn
sc stop "Windows Overlay Components"
sc delete "Windows Overlay Components"

Save this as look.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick look.bat and let the program run.

* Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.
If you receive a message from your firewall about this program accessing the internet please allow it.

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O20 - AppInit_DLLs: Runner.dll
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\dn8s01l7e.dll
O23 - Service: Net Logon Service (NetLgn) - Unknown owner - C:\WINDOWS\wdfmgr.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\jouofeo.exe (file missing)


* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.

*Boot into Safe Mode (without networking support!)
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\Windows\System32\Runner.dll
C:\WINDOWS\jouofeo.exe
C:\Program Files\Network Monitor <--folder
C:\WINDOWS\wdfmgr.exe <--do not delete the legit file in system32 folder!!

Please reboot back to normal mode and post back with the look to me destroyer log, and a new Hijackthis log,
David

Edited by D-Trojanator, 30 June 2006 - 06:33 AM.


#5 geopilot

geopilot
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 30 June 2006 - 10:56 PM

OK- all that went ok- got an error from HijackThis when fixing one of the files- but it completed.
Here's the Look2Me log:

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 6/30/2006 11:26:06 PM

Infected! C:\WINDOWS\system32\irl2l53o1.dll
Infected! C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000009.dll
Infected! C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000060.dll
Infected! C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000084.dll
Infected! C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000104.dll
Infected! C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000125.dll
Infected! C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000139.dll
Infected! C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000149.dll
Infected! C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000161.dll
Infected! C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000184.dll
Infected! C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000233.dll
Infected! C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000252.dll
Infected! C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000266.dll
Infected! C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000285.dll
Infected! C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000298.dll
Infected! C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000312.dll
Infected! C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0000361.dll
Infected! C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0000385.dll
Infected! C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0000395.dll
Infected! C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0000440.dll
Infected! C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0000452.dll
Infected! C:\WINDOWS\SYSTEM32\CXCAAi51.dll
Infected! C:\WINDOWS\SYSTEM32\irl2l53o1.dll
Infected! C:\WINDOWS\SYSTEM32\n68olgl316q.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\irl2l53o1.dll
C:\WINDOWS\system32\irl2l53o1.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000009.dll
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000009.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000060.dll
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000060.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000084.dll
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000084.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000104.dll
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000104.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000125.dll
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000125.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000139.dll
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000139.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000149.dll
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000149.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000161.dll
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000161.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000184.dll
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000184.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000233.dll
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000233.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000252.dll
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000252.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000266.dll
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000266.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000285.dll
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000285.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000298.dll
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000298.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000312.dll
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000312.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0000361.dll
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0000361.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0000385.dll
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0000385.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0000395.dll
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0000395.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0000440.dll
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0000440.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0000452.dll
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0000452.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\CXCAAi51.dll
C:\WINDOWS\SYSTEM32\CXCAAi51.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\irl2l53o1.dll
C:\WINDOWS\SYSTEM32\irl2l53o1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\n68olgl316q.dll
C:\WINDOWS\SYSTEM32\n68olgl316q.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reliability

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{A5302B2B-D231-4B13-848E-681CF11AF55E}"
HKCR\Clsid\{A5302B2B-D231-4B13-848E-681CF11AF55E}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{ED5B12A2-B1DF-4D61-ACD1-D12F2C673EEF}"
HKCR\Clsid\{ED5B12A2-B1DF-4D61-ACD1-D12F2C673EEF}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{4376FA6C-FE38-4DF9-8668-A5DCF57A1DEA}"
HKCR\Clsid\{4376FA6C-FE38-4DF9-8668-A5DCF57A1DEA}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{E2650076-2AD0-4778-A57D-B39EE9B58C90}"
HKCR\Clsid\{E2650076-2AD0-4778-A57D-B39EE9B58C90}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{66586A2E-235E-4244-90D8-78FB62C77DEB}"
HKCR\Clsid\{66586A2E-235E-4244-90D8-78FB62C77DEB}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D75FA6B6-E2A2-47ED-AFFF-FF6FFE6887EA}"
HKCR\Clsid\{D75FA6B6-E2A2-47ED-AFFF-FF6FFE6887EA}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0D5F330A-8594-4DD1-9B1F-3AA0AA0B6A84}"
HKCR\Clsid\{0D5F330A-8594-4DD1-9B1F-3AA0AA0B6A84}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{397F6792-1FCA-47C0-8CD5-D72E843328F0}"
HKCR\Clsid\{397F6792-1FCA-47C0-8CD5-D72E843328F0}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B166A554-FB33-405A-AA10-53FE1A19A906}"
HKCR\Clsid\{B166A554-FB33-405A-AA10-53FE1A19A906}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{2809AB2E-F07A-4EAC-9D16-4EF12F5943A6}"
HKCR\Clsid\{2809AB2E-F07A-4EAC-9D16-4EF12F5943A6}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5139FADA-B666-4C0F-BDC7-BAB56992FDE0}"
HKCR\Clsid\{5139FADA-B666-4C0F-BDC7-BAB56992FDE0}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F4BED3CD-081E-4E79-94BF-1C50D0177823}"
HKCR\Clsid\{F4BED3CD-081E-4E79-94BF-1C50D0177823}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{BE441418-B3FB-4DB8-BBBF-96943A87D7DF}"
HKCR\Clsid\{BE441418-B3FB-4DB8-BBBF-96943A87D7DF}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5220BD90-8352-4461-90B9-D4FB391DDF49}"
HKCR\Clsid\{5220BD90-8352-4461-90B9-D4FB391DDF49}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

#6 geopilot

geopilot
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 30 June 2006 - 10:58 PM

And now the new HijackThis file:

Logfile of HijackThis v1.99.1
Scan saved at 11:52:06 PM, on 6/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Linksys\Bluetooth Utility\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Linksys\Bluetooth Utility\bin\btwdins.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: EffBarBHO - {15E38167-B065-4BB5-B987-9F04B1E85AEA} - C:\Program Files\EngageSidebar\EffBar.dll
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [uwri] C:\PROGRA~1\COMMON~1\uwri\uwrim.exe
O4 - HKCU\..\Run: [PECarlin] "C:\Program Files\PECarlin\PECarlin.exe"
O4 - HKCU\..\Run: [nfkao] C:\WINDOWS\system32\rqyhnx.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AXVenore] "C:\Program Files\AXVenore\AXVenore.exe"
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\owinsqez.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\Linksys\Bluetooth Utility\BTTray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Linksys\Bluetooth Utility\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Linksys\Bluetooth Utility\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Linksys\Bluetooth Utility\bin\btwdins.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:11 AM

Posted 01 July 2006 - 04:16 AM

Hey there geopilot,
We've got a stubbourn infection on our hands!
I need you to run a few scans so we can tackle the infection by removing its core files. The following instructions probably look daunting, but actually each scan takes about 5-10 minutes each, probably less. I will create a fix once you have posted the logs. All of the following must be done in Normal mode.

* Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

*Download FindQool.zip save it to your C:\.

Extract (unzip) the files inside into their own folder called FindQool.
Read here how to unzip/extract properly:
Xp Compressed Explanation

This folder should be present on your C:\
In case it's not present there, move the FindQool folder to C:\ otherwise it won't work.
Then open the FindQool folder.
Locate and double-click the Qlocate.bat file to run it.

This will scan your system.
Wait until a text opens, save it to your desktop.

Please download and Save blacklight to your C:\ Important!!.
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Then go to start > run and copy and paste next command in the field:

C:\blbeta.exe /expert

This should open your blacklight.
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your C:\ with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)

Please post back with the findqoo log, the blacklight log and the combo log.

David

#8 geopilot

geopilot
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 01 July 2006 - 06:51 PM

Hey David- Thanks again for the help. Ran the 3 scans. Here's the logs:
First combofix:

Start Time= Sat 07/01/2006 19:06:20.82
Running from: C:\Documents and Settings\Jeanne\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REGISTRY ENTRIES REMOVED:

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\SYSTEM32\DGRGSNAP.DLL
C:\WINDOWS\SYSTEM32\DZNMPNTW.DLL
C:\WINDOWS\SYSTEM32\HVL.DLL


Granting sedebugprivilege to Administrators ... successful


(((((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))

19:03:10.03

* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-21 13:24:22 127,488 "C:\WINDOWS\SYSTEM32\rqyhnx.exe"
2006-06-21 13:24:28 28,672 "C:\WINDOWS\SYSTEM32\iaqln.exe"
2006-06-21 06:20:14 48,167 "C:\WINDOWS\SYSTEM32\VSL05.exe"
2006-06-20 18:47:26 2 "C:\WINDOWS\SYSTEM32\wcpit.exe"
2006-05-10 01:23:00 55,808 "C:\WINDOWS\SYSTEM32\extmgr.dll"
2006-05-10 01:23:00 96,256 "C:\WINDOWS\SYSTEM32\inseng.dll"
2006-05-19 11:08:32 3,052,544 "C:\WINDOWS\SYSTEM32\mshtml.dll"
2006-05-10 01:23:02 532,480 "C:\WINDOWS\SYSTEM32\mstime.dll"
2006-06-12 15:09:18 10,752 "C:\WINDOWS\SYSTEM32\Shlesb.dll"
2006-05-10 01:23:02 613,888 "C:\WINDOWS\SYSTEM32\urlmon.dll"
2006-06-23 06:08:58 169,472 "C:\WINDOWS\SYSTEM32\banners.exe"
2006-05-23 17:25:52 285,488 "C:\WINDOWS\SYSTEM32\WgaTray.exe"
2006-05-10 01:23:00 151,040 "C:\WINDOWS\SYSTEM32\cdfview.dll"
2006-05-10 01:23:00 357,888 "C:\WINDOWS\SYSTEM32\dxtmsft.dll"
2006-05-10 01:23:00 205,312 "C:\WINDOWS\SYSTEM32\dxtrans.dll"
2006-05-10 01:23:00 251,392 "C:\WINDOWS\SYSTEM32\iepeers.dll"
2006-06-01 14:47:08 163,840 "C:\WINDOWS\SYSTEM32\jgdw400.dll"
2006-06-01 14:47:08 27,648 "C:\WINDOWS\SYSTEM32\jgpl400.dll"
2006-05-18 01:24:26 450,560 "C:\WINDOWS\SYSTEM32\jscript.dll"
2006-05-10 01:23:00 16,384 "C:\WINDOWS\SYSTEM32\jsproxy.dll"
2006-05-10 01:23:02 39,424 "C:\WINDOWS\SYSTEM32\pngfilt.dll"
2006-05-29 11:30:34 1,494,016 "C:\WINDOWS\SYSTEM32\shdocvw.dll"
2006-05-10 01:23:02 474,112 "C:\WINDOWS\SYSTEM32\shlwapi.dll"
2006-06-21 06:19:40 8,464 "C:\WINDOWS\SYSTEM32\sporder.dll"
2006-05-10 01:23:04 658,432 "C:\WINDOWS\SYSTEM32\wininet.dll"
2006-05-10 01:23:00 1,054,208 "C:\WINDOWS\SYSTEM32\danim.dll"
2006-06-21 06:35:42 218 "C:\WINDOWS\qlgne.dll"
2006-06-21 06:20:12 53 "C:\WINDOWS\eneqbo.dat"


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06/21/2006 01:24 PM 127,488 rqyhnx.exe.vir
06/21/2006 01:24 PM 28,672 iaqln.exe.vir
06/21/2006 06:35 AM 218 qlgne.dll.vir
06/21/2006 06:20 AM 53 eneqbo.dat.vir


DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-23 06:08:58 169,472 "C:\WINDOWS\SYSTEM32\banners.exe"
2006-05-23 17:25:52 285,488 "C:\WINDOWS\SYSTEM32\WgaTray.exe"
2006-06-21 06:20:14 48,167 "C:\WINDOWS\SYSTEM32\VSL05.exe"
2006-06-20 18:47:26 2 "C:\WINDOWS\SYSTEM32\wcpit.exe"
2006-05-10 01:23:00 151,040 "C:\WINDOWS\SYSTEM32\cdfview.dll"
2006-05-10 01:23:00 357,888 "C:\WINDOWS\SYSTEM32\dxtmsft.dll"
2006-05-10 01:23:00 205,312 "C:\WINDOWS\SYSTEM32\dxtrans.dll"
2006-05-10 01:23:00 251,392 "C:\WINDOWS\SYSTEM32\iepeers.dll"
2006-06-01 14:47:08 163,840 "C:\WINDOWS\SYSTEM32\jgdw400.dll"
2006-06-01 14:47:08 27,648 "C:\WINDOWS\SYSTEM32\jgpl400.dll"
2006-05-18 01:24:26 450,560 "C:\WINDOWS\SYSTEM32\jscript.dll"
2006-05-10 01:23:00 16,384 "C:\WINDOWS\SYSTEM32\jsproxy.dll"
2006-05-10 01:23:02 39,424 "C:\WINDOWS\SYSTEM32\pngfilt.dll"
2006-05-29 11:30:34 1,494,016 "C:\WINDOWS\SYSTEM32\shdocvw.dll"
2006-05-10 01:23:02 474,112 "C:\WINDOWS\SYSTEM32\shlwapi.dll"
2006-06-21 06:19:40 8,464 "C:\WINDOWS\SYSTEM32\sporder.dll"
2006-05-10 01:23:04 658,432 "C:\WINDOWS\SYSTEM32\wininet.dll"
2006-05-10 01:23:00 55,808 "C:\WINDOWS\SYSTEM32\extmgr.dll"
2006-05-10 01:23:00 96,256 "C:\WINDOWS\SYSTEM32\inseng.dll"
2006-05-19 11:08:32 3,052,544 "C:\WINDOWS\SYSTEM32\mshtml.dll"
2006-05-10 01:23:02 532,480 "C:\WINDOWS\SYSTEM32\mstime.dll"
2006-06-12 15:09:18 10,752 "C:\WINDOWS\SYSTEM32\Shlesb.dll"
2006-05-10 01:23:02 613,888 "C:\WINDOWS\SYSTEM32\urlmon.dll"
2006-05-10 01:23:00 1,054,208 "C:\WINDOWS\SYSTEM32\danim.dll"


((((((((((((((((((((((((((((((((((((((((((((((((((( Ssk's Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Jeanne\Application Data\Sskcwrd.dll
C:\Documents and Settings\Jeanne\Application Data\Sskknwrd.dll
C:\Documents and Settings\Jeanne\Local Settings\Temporary Internet Files\Ssk.log
C:\WINDOWS\Prefetch\SSK.EXE-35B0063B.pf
C:\WINDOWS\Prefetch\SSKUPDATER3.EXE-2D54193F.pf


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



19:06:07.09
((((((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\Mendoza1.exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ODAJCD6Z\drsmartload[2].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ODAJCD6Z\kybrd_1[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W9QVGTUZ\nwnm_1[1].exe
C:\WINDOWS\newname.dat
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\uninstall_nmon.vbs
C:\Program Files\Common Files\misc001
C:\Program Files\Common Files\simtest
C:\Program Files\Common Files\svchostsys
C:\Documents and Settings\LocalService\Application Data\NetMon


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-01 18:59:30 818752 ( A.... ) "C:\blbeta.exe"
2006-06-30 23:19:14 168 ( A.... ) "C:\look.bat"
2006-06-24 16:05:28 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-06-24 16:04:10 8405024 ( A.... ) "C:\ewido-setup_4.0.0.172a.exe"
2006-06-24 15:28:56 926 ( A.... ) "C:\WINDOWS\SYSTEM32\nt68rrtc12.sys"
2006-06-24 15:28:56 926 ( A.... ) "C:\WINDOWS\SYSTEM32\nt68rrtc12.sys"
2006-06-24 09:08:52 2560 ( A.... ) "C:\ac3_0003.exe"
2006-06-23 06:08:58 169472 ( A.... ) "C:\WINDOWS\SYSTEM32\banners.exe"
2006-06-23 06:08:58 ( .D... ) "C:\Program Files\EngageSidebar"
2006-06-22 15:36:08 11776 ( A.... ) "C:\bootmgr.exe"
2006-06-22 09:18:14 104300 ( A.... ) "C:\Trelew.exe"
2006-06-22 07:31:14 ( .D... ) "C:\Documents and Settings\Jeanne\Application Data\Lavasoft"
2006-06-22 07:31:04 ( .D... ) "C:\Program Files\Lavasoft"
2006-06-22 07:29:48 2855080 ( A.... ) "C:\aawsepersonal.exe"
2006-06-22 07:21:32 208896 ( A.... ) "C:\uninstaller.exe"
2006-06-22 07:08:40 2176928 ( A.... ) "C:\Windows-KB890830-V1.17.exe"
2006-06-21 13:27:56 33012 ( A.... ) "C:\WINDOWS\SYSTEM32\tpuninstall.exe"
2006-06-21 13:26:04 25873 ( A.... ) "C:\mc-110-12-0000228.exe"
2006-06-21 13:25:00 ( .D... ) "C:\Program Files\Common Files\uwri"
2006-06-21 06:21:54 ( .D... ) "C:\Program Files\PartyPoker"
2006-06-21 06:20:26 ( .D... ) "C:\Program Files\Windows"
2006-06-21 06:20:26 ( .D... ) "C:\Program Files\Common Files\InetGet"
2006-06-21 06:20:14 48167 ( A.... ) "C:\WINDOWS\SYSTEM32\VSL05.exe"
2006-06-21 06:19:40 8464 ( A.... ) "C:\WINDOWS\SYSTEM32\sporder.dll"
2006-06-21 06:18:54 419383 ( A.... ) "C:\visfx500.exe"
2006-06-20 18:47:26 2 ( A.... ) "C:\WINDOWS\SYSTEM32\wcpit.exe"
2006-06-20 18:47:12 ( .D... ) "C:\Program Files\?racle"
2006-06-20 16:43:10 427756 ( A.... ) "C:\bootsector.exe"
2006-06-20 16:27:08 170 ( A.... ) "C:\WINDOWS\comexec.bat"
2006-06-20 15:31:32 105198 ( A.SH. ) "C:\WINDOWS\iexplore.exe"
2006-06-19 16:39:16 139264 ( A.... ) "C:\WINDOWS\876056.exe"
2006-06-14 22:18:50 154 ( A.... ) "C:\WINDOWS\comfix.bat"
2006-06-12 15:09:18 10752 ( A.... ) "C:\WINDOWS\SYSTEM32\Shlesb.dll"
2006-06-08 18:19:52 5967776 ( A.... ) "C:\WINDOWS\SYSTEM32\MRT.exe"
2006-06-01 14:47:08 163840 ( A.... ) "C:\WINDOWS\SYSTEM32\jgdw400.dll"
2006-06-01 14:47:08 27648 ( A.... ) "C:\WINDOWS\SYSTEM32\jgpl400.dll"
2006-05-30 19:09:20 24576 ( A.... ) "C:\WINDOWS\Uninstall.exe"
2006-05-29 11:30:34 1494016 ( A.... ) "C:\WINDOWS\SYSTEM32\shdocvw.dll"
2006-05-23 17:26:00 579888 ( A.... ) "C:\WINDOWS\SYSTEM32\LegitCheckControl.dll"
2006-05-23 17:25:52 402736 ( A.... ) "C:\WINDOWS\SYSTEM32\WgaLogon.dll"
2006-05-23 17:25:52 285488 ( ..... ) "C:\WINDOWS\SYSTEM32\WgaTray.exe"
2006-05-19 11:08:32 3052544 ( A.... ) "C:\WINDOWS\SYSTEM32\mshtml.dll"
2006-05-18 01:24:26 450560 ( A.... ) "C:\WINDOWS\SYSTEM32\jscript.dll"
2006-05-11 04:23:24 24576 ( A.... ) "C:\WINDOWS\SYSTEM32\xpsp3res.dll"
2006-05-10 01:23:04 658432 ( A.... ) "C:\WINDOWS\SYSTEM32\wininet.dll"
2006-05-10 01:23:02 613888 ( A.... ) "C:\WINDOWS\SYSTEM32\urlmon.dll"
2006-05-10 01:23:02 532480 ( A.... ) "C:\WINDOWS\SYSTEM32\mstime.dll"
2006-05-10 01:23:02 474112 ( A.... ) "C:\WINDOWS\SYSTEM32\shlwapi.dll"
2006-05-10 01:23:02 448512 ( A.... ) "C:\WINDOWS\SYSTEM32\mshtmled.dll"
2006-05-10 01:23:02 146432 ( A.... ) "C:\WINDOWS\SYSTEM32\msrating.dll"
2006-05-10 01:23:02 39424 ( A.... ) "C:\WINDOWS\SYSTEM32\pngfilt.dll"
2006-05-10 01:23:00 1054208 ( A.... ) "C:\WINDOWS\SYSTEM32\danim.dll"
2006-05-10 01:23:00 1022976 ( A.... ) "C:\WINDOWS\SYSTEM32\browseui.dll"
2006-05-10 01:23:00 357888 ( A.... ) "C:\WINDOWS\SYSTEM32\dxtmsft.dll"
2006-05-10 01:23:00 251392 ( A.... ) "C:\WINDOWS\SYSTEM32\iepeers.dll"
2006-05-10 01:23:00 205312 ( A.... ) "C:\WINDOWS\SYSTEM32\dxtrans.dll"
2006-05-10 01:23:00 151040 ( A.... ) "C:\WINDOWS\SYSTEM32\cdfview.dll"
2006-05-10 01:23:00 96256 ( A.... ) "C:\WINDOWS\SYSTEM32\inseng.dll"
2006-05-10 01:23:00 55808 ( A.... ) "C:\WINDOWS\SYSTEM32\extmgr.dll"
2006-05-10 01:23:00 16384 ( A.... ) "C:\WINDOWS\SYSTEM32\jsproxy.dll"
2006-04-29 06:07:48 5533696 ( A.... ) "C:\WINDOWS\SYSTEM32\wmp.dll"


((((((((((((((((((((((((((((((((((((((((( Files Created - Last 30days ))))))))))))))))))))))))))))))))))))))))))))))


2006-07-01 18:59 818,752 C:\blbeta.exe
2006-06-30 23:49 527,892,480 C:\hiberfil.sys
2006-06-30 23:19 168 C:\look.bat
2006-06-24 16:04 8,405,024 C:\ewido-setup_4.0.0.172a.exe
2006-06-24 09:08 2,560 C:\ac3_0003.exe
2006-06-23 06:08 169,472 C:\WINDOWS\system32\banners.exe
2006-06-22 15:36 926 C:\WINDOWS\system32\nt68rrtc12.sys
2006-06-22 15:36 11,776 C:\bootmgr.exe
2006-06-22 09:18 104,300 C:\Trelew.exe
2006-06-22 07:29 2,855,080 C:\aawsepersonal.exe
2006-06-22 07:21 208,896 C:\uninstaller.exe
2006-06-22 07:08 2,176,928 C:\Windows-KB890830-V1.17.exe
2006-06-21 13:27 33,012 C:\WINDOWS\system32\tpuninstall.exe
2006-06-21 13:25 25,873 C:\mc-110-12-0000228.exe
2006-06-21 06:20 48,167 C:\WINDOWS\system32\VSL05.exe
2006-06-21 06:19 8,464 C:\WINDOWS\system32\sporder.dll
2006-06-21 06:18 419,383 C:\visfx500.exe
2006-06-21 06:18 170 C:\WINDOWS\comexec.bat
2006-06-20 18:47 2 C:\WINDOWS\system32\wcpit.exe
2006-06-20 16:43 427,756 C:\bootsector.exe
2006-06-20 16:43 105,198 C:\WINDOWS\iexplore.exe
2006-06-19 20:12 154 C:\WINDOWS\comfix.bat
2006-06-19 16:39 139,264 C:\WINDOWS\876056.exe
2006-06-12 15:09 10,752 C:\WINDOWS\system32\Shlesb.dll
2006-05-30 19:09 24,576 C:\WINDOWS\Uninstall.exe


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"uwri"="C:\\PROGRA~1\\COMMON~1\\uwri\\uwrim.exe"
"PECarlin"="\"C:\\Program Files\\PECarlin\\PECarlin.exe\""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"AXVenore"="\"C:\\Program Files\\AXVenore\\AXVenore.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"WinUpdate.exe"="C:\\Program Files\\Windows\\WinUpdate.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Online Services\\zyreropy.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Internet Explorer\\wopy.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,02,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"sys_up1"="C:\\Program Files\\Common Files\\svchostsys\\svchostsys.exe"
"Uqasank"="C:\\Documents and Settings\\LocalService\\Application Data\\??mbols\\??erinit.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"sys_up1"="C:\\Program Files\\Common Files\\svchostsys\\svchostsys.exe"
"Uqasank"="C:\\Documents and Settings\\LocalService\\Application Data\\??mbols\\??erinit.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cmdService"=dword:00000002



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (DELL6000-David).job

Completion time: Sat 07/01/2006 19:06:37.20
ComboFix ver 06.07.02 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-01.190620.txt


Now FindQool:

Sat 07/01/2006
Running from: C:\FindQool\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.

Known file names

MD5 Check....

Files found with locate com.
Re-check using dir /a:-d
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
...


...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
HKCU
...

Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ explorer.exe
userinit REG_SZ c:\windows\system32\userinit.exe,
...
SWReg utility
Written by Bobbi Flekman © 2005
Findqool edited 17/05/2006


Here's the Blacklight. It reported no items found.

07/01/06 19:41:17 [Info]: BlackLight Engine 1.0.42 initialized
07/01/06 19:41:17 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/01/06 19:41:17 [Note]: 7019 4
07/01/06 19:41:17 [Note]: 7005 0
07/01/06 19:41:28 [Note]: 7006 0
07/01/06 19:41:28 [Note]: 7022 0
07/01/06 19:41:28 [Note]: 7011 504
07/01/06 19:41:29 [Note]: 7026 0
07/01/06 19:41:29 [Note]: 7026 0
07/01/06 19:41:29 [Note]: FSRAW library version 1.7.1019
07/01/06 19:45:13 [Note]: 7007 0


Finally a new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:50:35 PM, on 7/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Linksys\Bluetooth Utility\bin\btwdins.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Linksys\Bluetooth Utility\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: EffBarBHO - {15E38167-B065-4BB5-B987-9F04B1E85AEA} - C:\Program Files\EngageSidebar\EffBar.dll
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [uwri] C:\PROGRA~1\COMMON~1\uwri\uwrim.exe
O4 - HKCU\..\Run: [PECarlin] "C:\Program Files\PECarlin\PECarlin.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AXVenore] "C:\Program Files\AXVenore\AXVenore.exe"
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\owinsqez.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\Linksys\Bluetooth Utility\BTTray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Linksys\Bluetooth Utility\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Linksys\Bluetooth Utility\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Linksys\Bluetooth Utility\bin\btwdins.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:11 AM

Posted 02 July 2006 - 03:52 AM

Hello there,

It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above. It is important that you complete the following instructions in the correct order, and also that you don't miss anything out!

Click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

EngageSidebar

* Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

*Boot into Safe Mode (without networking support!)
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

O2 - BHO: EffBarBHO - {15E38167-B065-4BB5-B987-9F04B1E85AEA} - C:\Program Files\EngageSidebar\EffBar.dll
O4 - HKCU\..\Run: [uwri] C:\PROGRA~1\COMMON~1\uwri\uwrim.exe
O4 - HKCU\..\Run: [PECarlin] "C:\Program Files\PECarlin\PECarlin.exe"
O4 - HKCU\..\Run: [AXVenore] "C:\Program Files\AXVenore\AXVenore.exe"
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\owinsqez.exe


* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\SYSTEM32\VSL05.exe
C:\WINDOWS\SYSTEM32\wcpit.exe
C:\WINDOWS\SYSTEM32\Shlesb.dll
C:\WINDOWS\SYSTEM32\banners.exe
C:\Documents and Settings\Jeanne\Application Data\Sskcwrd.dll
C:\Documents and Settings\Jeanne\Application Data\Sskknwrd.dll
C:\Documents and Settings\Jeanne\Local Settings\Temporary Internet Files\Ssk.log
C:\WINDOWS\Prefetch\SSK.EXE-35B0063B.pf
C:\WINDOWS\Prefetch\SSKUPDATER3.EXE-2D54193F.pf
C:\WINDOWS\SYSTEM32\nt68rrtc12.sys
C:\ac3_0003.exe
C:\Program Files\EngageSidebar <--folder
C:\Trelew.exe
C:\bootmgr.exe
C:\uninstaller.exe
C:\WINDOWS\SYSTEM32\tpuninstall.exe
C:\mc-110-12-0000228.exe
C:\Program Files\Common Files\uwri <--folder
C:\Program Files\PartyPoker <--folder
C:\Program Files\Common Files\InetGet <--folder
C:\Program Files\Windows <--do not delete the Windows folder in C:\!!
C:\visfx500.exe
C:\Program Files\?racle <--will have a letter in place of the ?
C:\bootsector.exe"
C:\WINDOWS\comexec.bat
C:\WINDOWS\iexplore.exe
C:\WINDOWS\876056.exe
C:\Program Files\AXVenore <--folder
C:\Program Files\PECarlin <--folder
C:\Program Files\Online Services\zyreropy.html
C:\Program Files\Internet Explorer\wopy.html
C:\Documents and Settings\LocalService\Application Data\??mbols <--contains ??erinit.exe
C:\Program Files\Common Files\svchostsys <--folder
C:\WINDOWS\SYSTEM32\owinsqez.exe

Please reboot back to normal mode and post back a new Hijackthis log and a new Combofix log.
David

#10 geopilot

geopilot
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 02 July 2006 - 06:45 AM

Thanks for the fast reply. I'm off on holiday later this morning, so if I don't get back to you till Saturday, that's why. Please leave this thread open if you can. Here are the latest logs after doing all of the above.
Combofix:
Start Time= Sun 07/02/2006 7:36:36.81
Running from: C:\Documents and Settings\Jeanne\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-01 18:59:30 818752 ( A.... ) "C:\blbeta.exe"
2006-06-30 23:19:14 168 ( A.... ) "C:\look.bat"
2006-06-24 16:05:28 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-06-24 16:04:10 8405024 ( A.... ) "C:\ewido-setup_4.0.0.172a.exe"
2006-06-22 07:31:14 ( .D... ) "C:\Documents and Settings\Jeanne\Application Data\Lavasoft"
2006-06-22 07:31:04 ( .D... ) "C:\Program Files\Lavasoft"
2006-06-22 07:29:48 2855080 ( A.... ) "C:\aawsepersonal.exe"
2006-06-22 07:08:40 2176928 ( A.... ) "C:\Windows-KB890830-V1.17.exe"
2006-06-21 06:19:40 8464 ( A.... ) "C:\WINDOWS\SYSTEM32\sporder.dll"
2006-06-14 22:18:50 154 ( A.... ) "C:\WINDOWS\comfix.bat"
2006-06-08 18:19:52 5967776 ( A.... ) "C:\WINDOWS\SYSTEM32\MRT.exe"
2006-06-01 14:47:08 163840 ( A.... ) "C:\WINDOWS\SYSTEM32\jgdw400.dll"
2006-06-01 14:47:08 27648 ( A.... ) "C:\WINDOWS\SYSTEM32\jgpl400.dll"
2006-05-30 19:09:20 24576 ( A.... ) "C:\WINDOWS\Uninstall.exe"
2006-05-29 11:30:34 1494016 ( A.... ) "C:\WINDOWS\SYSTEM32\shdocvw.dll"
2006-05-23 17:26:00 579888 ( A.... ) "C:\WINDOWS\SYSTEM32\LegitCheckControl.dll"
2006-05-23 17:25:52 402736 ( A.... ) "C:\WINDOWS\SYSTEM32\WgaLogon.dll"
2006-05-23 17:25:52 285488 ( ..... ) "C:\WINDOWS\SYSTEM32\WgaTray.exe"
2006-05-19 11:08:32 3052544 ( A.... ) "C:\WINDOWS\SYSTEM32\mshtml.dll"
2006-05-18 01:24:26 450560 ( A.... ) "C:\WINDOWS\SYSTEM32\jscript.dll"
2006-05-11 04:23:24 24576 ( A.... ) "C:\WINDOWS\SYSTEM32\xpsp3res.dll"
2006-05-10 01:23:04 658432 ( A.... ) "C:\WINDOWS\SYSTEM32\wininet.dll"
2006-05-10 01:23:02 613888 ( A.... ) "C:\WINDOWS\SYSTEM32\urlmon.dll"
2006-05-10 01:23:02 532480 ( A.... ) "C:\WINDOWS\SYSTEM32\mstime.dll"
2006-05-10 01:23:02 474112 ( A.... ) "C:\WINDOWS\SYSTEM32\shlwapi.dll"
2006-05-10 01:23:02 448512 ( A.... ) "C:\WINDOWS\SYSTEM32\mshtmled.dll"
2006-05-10 01:23:02 146432 ( A.... ) "C:\WINDOWS\SYSTEM32\msrating.dll"
2006-05-10 01:23:02 39424 ( A.... ) "C:\WINDOWS\SYSTEM32\pngfilt.dll"
2006-05-10 01:23:00 1054208 ( A.... ) "C:\WINDOWS\SYSTEM32\danim.dll"
2006-05-10 01:23:00 1022976 ( A.... ) "C:\WINDOWS\SYSTEM32\browseui.dll"
2006-05-10 01:23:00 357888 ( A.... ) "C:\WINDOWS\SYSTEM32\dxtmsft.dll"
2006-05-10 01:23:00 251392 ( A.... ) "C:\WINDOWS\SYSTEM32\iepeers.dll"
2006-05-10 01:23:00 205312 ( A.... ) "C:\WINDOWS\SYSTEM32\dxtrans.dll"
2006-05-10 01:23:00 151040 ( A.... ) "C:\WINDOWS\SYSTEM32\cdfview.dll"
2006-05-10 01:23:00 96256 ( A.... ) "C:\WINDOWS\SYSTEM32\inseng.dll"
2006-05-10 01:23:00 55808 ( A.... ) "C:\WINDOWS\SYSTEM32\extmgr.dll"
2006-05-10 01:23:00 16384 ( A.... ) "C:\WINDOWS\SYSTEM32\jsproxy.dll"
2006-04-29 06:07:48 5533696 ( A.... ) "C:\WINDOWS\SYSTEM32\wmp.dll"


((((((((((((((((((((((((((((((((((((((((( Files Created - Last 30days ))))))))))))))))))))))))))))))))))))))))))))))


2006-07-02 07:33 527,892,480 C:\hiberfil.sys
2006-07-01 18:59 818,752 C:\blbeta.exe
2006-06-30 23:19 168 C:\look.bat
2006-06-24 16:04 8,405,024 C:\ewido-setup_4.0.0.172a.exe
2006-06-22 07:29 2,855,080 C:\aawsepersonal.exe
2006-06-22 07:08 2,176,928 C:\Windows-KB890830-V1.17.exe
2006-06-21 06:19 8,464 C:\WINDOWS\system32\sporder.dll
2006-06-19 20:12 154 C:\WINDOWS\comfix.bat
2006-05-30 19:09 24,576 C:\WINDOWS\Uninstall.exe


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"WinUpdate.exe"="C:\\Program Files\\Windows\\WinUpdate.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Online Services\\zyreropy.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Internet Explorer\\wopy.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,02,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"sys_up1"="C:\\Program Files\\Common Files\\svchostsys\\svchostsys.exe"
"Uqasank"="C:\\Documents and Settings\\LocalService\\Application Data\\??mbols\\??erinit.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"sys_up1"="C:\\Program Files\\Common Files\\svchostsys\\svchostsys.exe"
"Uqasank"="C:\\Documents and Settings\\LocalService\\Application Data\\??mbols\\??erinit.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cmdService"=dword:00000002



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (DELL6000-David).job

Completion time: Sun 07/02/2006 7:36:52.34
ComboFix ver 06.07.02 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-01.190620.txt
ComboFix.2006-07-02.073426.txt
ComboFix.2006-07-02.073636.txt


and Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 7:38:40 AM, on 7/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Linksys\Bluetooth Utility\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Linksys\Bluetooth Utility\bin\btwdins.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: BTTray.lnk = C:\Program Files\Linksys\Bluetooth Utility\BTTray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Linksys\Bluetooth Utility\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Linksys\Bluetooth Utility\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Linksys\Bluetooth Utility\bin\btwdins.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:11 AM

Posted 02 July 2006 - 12:37 PM

Hello there,

It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above. It is important that you complete the following instructions in the correct order, and also that you don't miss anything out!

* Your Java is out of date and the older versions are being exploited by malware. It is the likely cause of your infection, so we need to get it patched up as soon as possible.
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here:http://www.java.com/en/download/manual.jsp
Open notepad and copy and paste next in it:

sc delete cmdService

Save this as look.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick look.bat and copy the contents of the text file that opens back here.

Please delete the following three folders:

C:\Program Files\Common Files\svchostsys
C:\Documents and Settings\LocalService\Application Data\??mbols (contains file ??erinit.exe)
C:\Program Files\Windows

* Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck and delete everything you find in there. (except for "My current home page")

As with all malware like this, it never comes alone and there are probably infected files left on your computer. Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report in your next reply by using Add Reply, along with a new Hijackthis log.

Also let me know how the computer is running. Have a good holiday and will leave this thread open. If i accidentally close it just drop me a PM and I'll open it again! :thumbsup:

David

#12 geopilot

geopilot
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 15 August 2006 - 09:56 PM

Hey David-
Finally getting back to this after the trip. Computer seems to be fine now.
I have updated the Java files.
Created Look.bat as you instructed and ran it. A window quickly opens and closes-
there is no window left open to copy here.
The directories you said to delete were already gone.
Nothing in the web tab under customize desktop.
I'm running Panda now and will post back if it finds anything and include a new hijackthis log.
Thanks again,
Dave

#13 geopilot

geopilot
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 16 August 2006 - 05:34 AM

Here's the Panda report:

Incident Status Location

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\David\Cookies\david@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\David\Cookies\david@ad.yieldmanager[2].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\David\Cookies\david@ads.addynamix[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\David\Cookies\david@apmebf[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\David\Cookies\david@atdmt[2].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\David\Cookies\david@bravenet[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\David\Cookies\david@burstnet[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\David\Cookies\david@doubleclick[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\David\Cookies\david@fastclick[1].txt
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\David\Cookies\david@hc2.humanclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\David\Cookies\david@mediaplex[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\David\Cookies\david@server.iad.liveperson[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\David\Cookies\david@tribalfusion[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\David\Cookies\david@www.burstbeacon[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\David\Local Settings\Temp\Cookies\david@ad.yieldmanager[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\David\Local Settings\Temp\Cookies\david@atdmt[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\David\Local Settings\Temp\Cookies\david@burstnet[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\David\Local Settings\Temp\Cookies\david@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\David\Local Settings\Temp\Cookies\david@hitbox[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\David\Local Settings\Temp\Cookies\david@trafficmp[1].txt
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Jeanne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-ad16e61-6246e709.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Jeanne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-ad16e61-6246e709.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Jeanne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-ad16e61-6246e709.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Jeanne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-ad16e61-6246e709.zip[Beyond.class]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@ad.yieldmanager[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@adopt.hbmediapro[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@adrevolver[3].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@ads.pointroll[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@advertising[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@apmebf[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@as-eu.falkag[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@as-us.falkag[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@atdmt[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@ath.belnk[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@atwola[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@banner[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@belnk[1].txt
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@bfast[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@bluestreak[1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@bravenet[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@burstnet[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@casalemedia[2].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@ct.360i[2].txt
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@data.coremetrics[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@doubleclick[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@fastclick[2].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@gostats[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@go[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@hitbox[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@maxserving[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@media.fastclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@overture[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@perf.overture[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@phg.hitbox[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@qksrv[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@realmedia[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@searchportal.information[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@server.iad.liveperson[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@serving-sys[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@statcounter[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@statse.webtrendslive[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@target[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@toplist[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@tribalfusion[2].txt
Spyware:Cookie/seeqA Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@www.seeq[1].txt
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@www48.seeq[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Jeanne\Cookies\jeanne@zedo[1].txt
Virus:W32/Mytob.KS.worm Disinfected Personal Folders\Inbox\Your new account password is approved\email-password.zip[email-password.doc .scr]
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0X6BKPI7\customerdept[1].zip[bootsector.exe]
Adware:Adware/FCHelp Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4PANWHMV\wallp2[1].exe
Adware:Adware/NewAds Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W9QVGTUZ\exec2[1].zip
Adware:Adware/CommAd Not disinfected C:\WINDOWS\SmVhbm5l\mAp1vAc5.vbs

And the Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 6:32:08 AM, on 8/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Linksys\Bluetooth Utility\bin\btwdins.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Linksys\Bluetooth Utility\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: BTTray.lnk = C:\Program Files\Linksys\Bluetooth Utility\BTTray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Linksys\Bluetooth Utility\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Linksys\Bluetooth Utility\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Linksys\Bluetooth Utility\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Linksys\Bluetooth Utility\bin\btwdins.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:11 AM

Posted 17 August 2006 - 10:46 AM

Please delete this folder:

C:\WINDOWS\SmVhbm5l

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° When prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button.
° Type the following in the fox --> cleanmgr and click ok.
° Let it scan your system for files to remove.
° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
° Press OK to remove them.

I see a clean log here! :thumbsup:
How is the system running?
David

#15 geopilot

geopilot
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 18 August 2006 - 09:31 PM

Computer is running great now. I have done the things you suggested above. Really appreciate the help and just sent a little donation to keep you helping others!
Dave




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users