Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please Help Diagnose


  • This topic is locked This topic is locked
18 replies to this topic

#1 Redhead88

Redhead88

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 11 July 2006 - 10:56 PM

Logfile of HijackThis v1.99.1
Scan saved at 10:49:38 PM, on 7/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\taskbmr.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~2\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Gurney\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,wsdpycr.exe
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [ufjanu] C:\WINDOWS\system32\unfiow.exe reg_run
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [qcpbp] C:\WINDOWS\system32\unfiow.exe reg_run
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\slriptpw.dll (file missing)
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\meutb.dll (file missing)
O20 - Winlogon Notify: SharedDlls - C:\WINDOWS\system32\mrwmdmsp.dll (file missing)
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\shriptpw.dll (file missing)
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\mjvcrt40.dll (file missing)
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\daser.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmFjaw\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Mobile Task Scheduler (MBST) - Unknown owner - C:\WINDOWS\taskbmr.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

So I think I've got some virus issues, any help would be greatly appreciated.

BC AdBot (Login to Remove)

 


m

#2 Redhead88

Redhead88
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 13 July 2006 - 05:20 PM

So I found and ran the steps to clean SurfSideKick from my computer, found here: http://www.bleepingcomputer.com/forums/t/9549/how-to-remove-surfsidekick-2-or-3-and-vcclient/

Also ran a McAffee virus scan, which deleted about 46 files and other malicious content.

New HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 5:18:11 PM, on 7/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\taskbmr.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Gurney\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,wsdpycr.exe
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\slriptpw.dll (file missing)
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\meutb.dll (file missing)
O20 - Winlogon Notify: SharedDlls - C:\WINDOWS\system32\mrwmdmsp.dll (file missing)
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\shriptpw.dll (file missing)
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\mjvcrt40.dll (file missing)
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\daser.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Mobile Task Scheduler (MBST) - Unknown owner - C:\WINDOWS\taskbmr.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

Sorry, don't mean for this to be a bump.

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:42 PM

Posted 16 July 2006 - 07:38 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijackthis log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#4 Redhead88

Redhead88
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 17 July 2006 - 05:16 PM

Logfile of HijackThis v1.99.1
Scan saved at 5:15:12 PM, on 7/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\taskbmr.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Documents and Settings\Gurney\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,wsdpycr.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\slriptpw.dll (file missing)
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\meutb.dll (file missing)
O20 - Winlogon Notify: SharedDlls - C:\WINDOWS\system32\mrwmdmsp.dll (file missing)
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\shriptpw.dll (file missing)
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\mjvcrt40.dll (file missing)
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\daser.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Mobile Task Scheduler (MBST) - Unknown owner - C:\WINDOWS\taskbmr.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

Again, any help you give will be greatly appreciated. Thanks much :thumbsup:

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:42 PM

Posted 17 July 2006 - 05:49 PM

Let's see what we can do.

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,wsdpycr.exe
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\slriptpw.dll (file missing)
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\meutb.dll (file missing)
O20 - Winlogon Notify: SharedDlls - C:\WINDOWS\system32\mrwmdmsp.dll (file missing)
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\shriptpw.dll (file missing)
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\mjvcrt40.dll (file missing)
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\daser.dll (file missing)



================


Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 Redhead88

Redhead88
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 17 July 2006 - 07:04 PM

Start Time= Mon 07/17/2006 18:54:49.51
Running from: C:\Documents and Settings\Gurney\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

18:55:39.93

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst


* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-19 16:19 304944 C:\WINDOWS\system32\WgaTray.exe
2006-07-11 20:57 127488 C:\WINDOWS\system32\unfiow.exe
2006-07-11 20:58 28672 C:\WINDOWS\system32\lwvmo.exe
2006-05-29 10:30 1494016 C:\WINDOWS\system32\shdocvw.dll
2006-05-10 00:23 658432 C:\WINDOWS\system32\wininet.dll
2006-05-10 00:23 474112 C:\WINDOWS\system32\shlwapi.dll
2006-05-18 00:24 450560 C:\WINDOWS\system32\jscript.dll
2006-07-11 13:27 380928 C:\WINDOWS\system32\WinNB58.dll
2006-05-10 00:22 357888 C:\WINDOWS\system32\dxtmsft.dll
2006-07-11 13:23 303104 C:\WINDOWS\system32\WinNB57.dll
2006-05-10 00:22 251392 C:\WINDOWS\system32\iepeers.dll
2006-05-10 00:22 205312 C:\WINDOWS\system32\dxtrans.dll
2006-05-14 03:44 181248 C:\WINDOWS\system32\rasmans.dll
2006-06-01 13:47 163840 C:\WINDOWS\system32\jgdw400.dll
2006-05-10 00:22 151040 C:\WINDOWS\system32\cdfview.dll
2006-05-10 00:23 39424 C:\WINDOWS\system32\pngfilt.dll
2006-05-16 15:23 28672 C:\WINDOWS\system32\vxblock.dll
2006-06-01 13:47 27648 C:\WINDOWS\system32\jgpl400.dll
2006-05-10 00:22 16384 C:\WINDOWS\system32\jsproxy.dll
2006-07-11 13:21 8464 C:\WINDOWS\system32\sporder.dll
2006-05-19 10:08 3052544 C:\WINDOWS\system32\mshtml.dll
2006-05-10 00:23 613888 C:\WINDOWS\system32\urlmon.dll
2006-05-10 00:23 532480 C:\WINDOWS\system32\mstime.dll
2006-06-18 17:54 440312 C:\WINDOWS\system32\vsutil.dll
2006-05-16 15:23 339968 C:\WINDOWS\system32\pxwave.dll
2006-06-18 17:54 157688 C:\WINDOWS\system32\vsinit.dll
2006-05-10 00:22 96256 C:\WINDOWS\system32\inseng.dll
2006-06-18 17:54 83960 C:\WINDOWS\system32\vsdata.dll
2006-06-18 17:54 83960 C:\WINDOWS\system32\zlcomm.dll
2006-05-10 00:22 55808 C:\WINDOWS\system32\extmgr.dll
2006-05-16 15:23 1257472 C:\WINDOWS\system32\pxsfs.dll
2006-05-10 00:22 1054208 C:\WINDOWS\system32\danim.dll
2006-05-16 15:23 450560 C:\WINDOWS\system32\pxdrv.dll
2006-05-16 15:23 176128 C:\WINDOWS\system32\pxmas.dll
2006-06-18 17:54 100344 C:\WINDOWS\system32\vsxml.dll
2006-06-18 17:54 59384 C:\WINDOWS\system32\vswmi.dll
2006-06-03 16:21 5150 C:\WINDOWS\mozver.dat
2006-07-11 13:21 53 C:\WINDOWS\bqllww.dat


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


C:\qoobox\unfiow.exe.vir
C:\qoobox\lwvmo.exe.vir
C:\qoobox\bqllww.dat.vir

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\shdocvw.dll
C:\WINDOWS\system32\wininet.dll
C:\WINDOWS\system32\shlwapi.dll
C:\WINDOWS\system32\jscript.dll
C:\WINDOWS\system32\WinNB58.dll
C:\WINDOWS\system32\dxtmsft.dll
C:\WINDOWS\system32\WinNB57.dll
C:\WINDOWS\system32\iepeers.dll
C:\WINDOWS\system32\dxtrans.dll
C:\WINDOWS\system32\rasmans.dll
C:\WINDOWS\system32\jgdw400.dll
C:\WINDOWS\system32\cdfview.dll
C:\WINDOWS\system32\pngfilt.dll
C:\WINDOWS\system32\vxblock.dll
C:\WINDOWS\system32\jgpl400.dll
C:\WINDOWS\system32\jsproxy.dll
C:\WINDOWS\system32\sporder.dll
C:\WINDOWS\system32\mshtml.dll
C:\WINDOWS\system32\urlmon.dll
C:\WINDOWS\system32\mstime.dll
C:\WINDOWS\system32\vsutil.dll
C:\WINDOWS\system32\pxwave.dll
C:\WINDOWS\system32\vsinit.dll
C:\WINDOWS\system32\inseng.dll
C:\WINDOWS\system32\vsdata.dll
C:\WINDOWS\system32\zlcomm.dll
C:\WINDOWS\system32\extmgr.dll
C:\WINDOWS\system32\pxsfs.dll
C:\WINDOWS\system32\danim.dll
C:\WINDOWS\system32\pxdrv.dll
C:\WINDOWS\system32\pxmas.dll
C:\WINDOWS\system32\vsxml.dll
C:\WINDOWS\system32\vswmi.dll
C:\WINDOWS\mozver.dat


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0HS1WJGP\drsmartload45a[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0HS1WJGP\Mendoza1[2].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0HS1WJGP\Mendoza1[3].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0HS1WJGP\kybrde_5[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Q1GVS3KH\drsmartload46a[2].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Q1GVS3KH\drsmartload849a[3].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Q1GVS3KH\drsmartload[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRYHYB2T\dfndre_5[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRYHYB2T\nwnme_5[1].exe
C:\WINDOWS\keyboard1.dat


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))



2006-07-17 18:46 <DIR> C:\Program Files\trillian
2006-07-17 18:37 <DIR> C:\Program Files\Common Files\nullsoft
2006-07-17 18:37 <DIR> C:\Program Files\Common Files\aol
2006-07-17 18:37 <DIR> C:\Program Files\common files
2006-07-17 18:37 <DIR> C:\Program Files\aol
2006-07-17 18:37 <DIR> C:\Program Files\aod
2006-07-17 18:37 <DIR> C:\Documents and Settings\Gurney\Application Data\acccore
2006-07-17 18:36 <DIR> C:\Program Files\Common Files\aolshare
2006-07-16 00:44 <DIR> C:\Program Files\winamp
2006-07-13 18:50 <DIR> C:\Program Files\xfire
2006-07-13 17:24 <DIR> C:\Program Files\spybot - search & destroy
2006-07-13 00:15 <DIR> C:\Program Files\aim
2006-07-12 18:56 <DIR> C:\Program Files\zone labs
2006-07-12 18:29 <DIR> C:\Program Files\lineage ii
2006-07-12 17:20 <DIR> C:\Program Files\return to castle wolfenstein
2006-07-12 17:20 <DIR> C:\Program Files\call of duty
2006-07-11 21:37 <DIR> C:\Program Files\messenger
2006-07-11 20:55 <DIR> C:\Program Files\network associates
2006-07-11 20:55 <DIR> C:\Program Files\Common Files\cisco systems
2006-07-11 20:54 <DIR> C:\Program Files\symantec
2006-07-11 20:54 <DIR> C:\Program Files\Common Files\network associates
2006-07-11 17:55 409 C:\WINDOWS\tjlof.dll
2006-07-11 17:28 <DIR> C:\Program Files\Common Files\{a4437aed-0c78-1033-0114-050412210001}
2006-07-11 16:49 1,063 C:\WINDOWS\system32\zaqb791a.sys
2006-07-11 15:17 <DIR> C:\Program Files\Common Files\blizzard entertainment
2006-07-11 15:00 <DIR> C:\Program Files\ea games
2006-07-11 14:59 <DIR> C:\Program Files\installshield installation information
2006-07-11 14:58 <DIR> C:\Program Files\pokerstars.net
2006-07-11 14:57 <DIR> C:\Program Files\wowreader
2006-07-11 14:53 <DIR> C:\Program Files\wolfenstein - enemy territory
2006-07-11 14:47 <DIR> C:\Program Files\windows nt
2006-07-11 14:22 <DIR> C:\Program Files\lavasoft
2006-07-11 14:22 <DIR> C:\Documents and Settings\Gurney\Application Data\lavasoft
2006-07-11 13:29 183,296 C:\WINDOWS\ndnuninstall7_22.exe
2006-07-11 13:27 380,928 C:\WINDOWS\system32\winnb58.dll
2006-07-11 13:23 303,104 C:\WINDOWS\system32\winnb57.dll
2006-07-11 13:23 <DIR> C:\Program Files\partypoker
2006-07-11 13:21 8,464 C:\WINDOWS\system32\sporder.dll
2006-07-11 13:21 <DIR> C:\Program Files\windows media player
2006-07-11 12:39 59,392 C:\WINDOWS\taskbmr.exe
2006-07-09 23:22 <DIR> C:\Program Files\mirc
2006-07-02 00:33 <DIR> C:\Program Files\limewire
2006-06-19 16:20 702,768 C:\WINDOWS\system32\wgalogon.dll
2006-06-18 17:54 83,960 C:\WINDOWS\system32\zlcomm.dll
2006-06-18 17:54 83,960 C:\WINDOWS\system32\vsdata.dll
2006-06-18 17:54 796,584 C:\WINDOWS\system32\libeay32_0.9.6l.dll
2006-06-18 17:54 71,672 C:\WINDOWS\system32\zlcommdb.dll
2006-06-18 17:54 71,672 C:\WINDOWS\system32\vsregexp.dll
2006-06-18 17:54 59,384 C:\WINDOWS\system32\vswmi.dll
2006-06-18 17:54 440,312 C:\WINDOWS\system32\vsutil.dll
2006-06-18 17:54 394,872 C:\WINDOWS\system32\vsdatant.sys
2006-06-18 17:54 268,280 C:\WINDOWS\system32\vspubapi.dll
2006-06-18 17:54 157,688 C:\WINDOWS\system32\vsinit.dll
2006-06-18 17:54 104,440 C:\WINDOWS\system32\vsmonapi.dll
2006-06-18 17:54 100,344 C:\WINDOWS\system32\vsxml.dll
2006-06-15 00:00 <DIR> C:\Program Files\internet explorer
2006-06-12 21:46 98,304 C:\WINDOWS\system32\cmdlineext.dll
2006-06-03 18:19 <DIR> C:\Program Files\mozilla firefox
2006-05-30 18:09 24,576 C:\WINDOWS\uninstall.exe
2006-05-23 23:44 <DIR> C:\Program Files\msn messenger
2006-05-19 16:16 2,560 C:\WINDOWS\system32\drivers\cdralw2k.sys
2006-05-19 16:16 2,432 C:\WINDOWS\system32\drivers\cdr4_xp.sys
2006-05-16 01:04 <DIR> C:\Program Files\linksys wireless-g pci wireless network monitor
2006-05-07 17:58 <DIR> C:\Program Files\activision
2006-05-02 01:09 <DIR> C:\Documents and Settings\Gurney\Application Data\google
2006-05-02 01:08 <DIR> C:\Program Files\google
2006-04-13 03:00 <DIR> C:\Program Files\outlook express
2006-04-13 03:00 <DIR> C:\Program Files\Common Files\system
2006-03-27 03:00 <DIR> C:\Program Files\java
2006-01-31 19:13 <DIR> C:\Documents and Settings\Gurney\Application Data\ati mmc
2006-01-19 14:20 <DIR> C:\Documents and Settings\Gurney\Application Data\iscreensaver
2006-01-16 17:05 <DIR> C:\Documents and Settings\Gurney\Application Data\microsoft
2006-01-12 23:20 <DIR> C:\Program Files\thq
2006-01-04 21:21 <DIR> C:\Program Files\ati technologies
2005-10-25 10:32 <DIR> C:\Documents and Settings\Gurney\Application Data\xfire
2005-10-16 23:45 <DIR> C:\Documents and Settings\Gurney\Application Data\teamspeak2
2005-10-14 22:26 <DIR> C:\Program Files\viewpoint
2005-10-14 22:26 <DIR> C:\Documents and Settings\Gurney\Application Data\viewpoint
2005-10-10 20:51 <DIR> C:\Program Files\playnet
2005-10-10 20:50 <DIR> C:\Program Files\crs
2005-10-09 12:34 <DIR> C:\Program Files\divx
2005-10-02 21:21 <DIR> C:\Program Files\belkin
2005-09-27 18:15 <DIR> C:\Program Files\msxml 4.0
2005-09-27 18:15 <DIR> C:\Program Files\gamespy arcade
2005-09-27 18:13 <DIR> C:\Program Files\microsoft games
2005-09-23 15:47 <DIR> C:\Documents and Settings\Gurney\Application Data\msninstaller
2005-09-23 15:46 <DIR> C:\Program Files\msn
2005-09-21 18:53 <DIR> C:\Program Files\quicktime
2005-09-13 18:43 <DIR> C:\Documents and Settings\Gurney\Application Data\autodesk
2005-09-13 18:41 <DIR> C:\Program Files\Common Files\autodesk shared
2005-09-13 18:41 <DIR> C:\Program Files\autocad 2006
2005-09-13 18:40 <DIR> C:\Program Files\microsoft office
2005-09-13 18:40 <DIR> C:\Program Files\Common Files\microsoft shared
2005-09-13 18:40 <DIR> C:\Program Files\Common Files\designer
2005-09-13 18:40 <DIR> C:\Program Files\answerworks 4.0
2005-09-07 20:50 <DIR> C:\Program Files\winrar
2005-09-05 22:18 <DIR> C:\Documents and Settings\Gurney\Application Data\ventrilo
2005-09-05 21:57 <DIR> C:\Program Files\ventrilo
2005-09-05 21:57 <DIR> C:\Program Files\Common Files\wise installation wizard
2005-08-23 18:11 <DIR> C:\Program Files\cheetah burner
2005-08-22 18:36 <DIR> C:\Program Files\extractnow
2005-08-21 21:01 <DIR> C:\Documents and Settings\Gurney\Application Data\sun
2005-08-21 12:44 <DIR> C:\Program Files\Common Files\java
2005-08-21 12:41 <DIR> C:\Program Files\Common Files\adobe
2005-08-21 12:41 <DIR> C:\Program Files\adobe
2005-08-20 19:24 <DIR> C:\Program Files\Common Files\hp
2005-08-20 19:23 <DIR> C:\Program Files\hp
2005-08-20 19:23 <DIR> C:\Program Files\hewlett-packard
2005-08-20 19:22 <DIR> C:\Program Files\Common Files\hewlett-packard
2005-08-16 08:43 <DIR> C:\Program Files\Common Files\installshield
2005-08-06 16:59 <DIR> C:\Program Files\microsoft activesync
2005-08-02 17:36 <DIR> C:\Documents and Settings\Gurney\Application Data\macromedia
2005-07-30 18:44 <DIR> C:\Documents and Settings\Gurney\Application Data\creative
2005-07-19 23:03 <DIR> C:\Program Files\Common Files\nsv
2005-07-18 17:33 <DIR> C:\Program Files\teamspeak2_rc2
2005-07-17 14:05 <DIR> C:\Documents and Settings\Gurney\Application Data\mozilla
2005-07-17 13:48 <DIR> C:\Documents and Settings\Gurney\Application Data\help
2005-07-17 13:47 <DIR> C:\Program Files\ati multimedia
2005-07-17 13:46 <DIR> C:\Program Files\windows media components
2005-07-17 13:45 <DIR> C:\Program Files\Common Files\cyberlink
2005-07-02 08:13 <DIR> C:\Program Files\Common Files\speechengines
2005-07-02 08:13 <DIR> C:\Program Files\Common Files\odbc
2005-07-02 01:31 <DIR> C:\Program Files\uninstall information
2005-07-02 01:31 <DIR> C:\Documents and Settings\Gurney\Application Data\identities
2005-07-02 01:26 <DIR> C:\Program Files\xerox
2005-07-02 01:26 <DIR> C:\Program Files\microsoft frontpage
2005-07-02 01:25 <DIR> C:\Program Files\windowsupdate
2005-07-02 01:24 <DIR> C:\Program Files\netmeeting
2005-07-02 01:24 <DIR> C:\Program Files\movie maker
2005-07-02 01:24 <DIR> C:\Program Files\Common Files\services
2005-07-02 01:24 <DIR> C:\Program Files\Common Files\mssoap
2005-07-02 01:23 <DIR> C:\Program Files\complus applications
2005-07-02 01:22 <DIR> C:\Program Files\online services
2005-07-02 01:22 <DIR> C:\Program Files\msn gaming zone
2005-07-02 00:48 <DIR> C:\Program Files\creative


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-17 18:49 11,264 C:\ipod32.exe
2006-07-12 18:56 83,960 C:\WINDOWS\system32\zlcomm.dll
2006-07-12 18:56 796,584 C:\WINDOWS\system32\libeay32_0.9.6l.dll
2006-07-12 18:56 71,672 C:\WINDOWS\system32\zlcommdb.dll
2006-07-12 18:56 71,672 C:\WINDOWS\system32\vsregexp.dll
2006-07-12 18:56 59,384 C:\WINDOWS\system32\vswmi.dll
2006-07-12 18:56 394,872 C:\WINDOWS\system32\vsdatant.sys
2006-07-12 18:56 268,280 C:\WINDOWS\system32\vspubapi.dll
2006-07-12 18:56 104,440 C:\WINDOWS\system32\vsmonapi.dll
2006-07-12 18:56 100,344 C:\WINDOWS\system32\vsxml.dll
2006-07-12 18:55 83,960 C:\WINDOWS\system32\vsdata.dll
2006-07-12 18:55 440,312 C:\WINDOWS\system32\vsutil.dll
2006-07-12 18:55 157,688 C:\WINDOWS\system32\vsinit.dll
2006-07-11 20:59 151,112 C:\WINDOWS\aupdate32.exe
2006-07-11 17:28 286 C:\WINDOWS\autoupdate.bat
2006-07-11 13:29 183,296 C:\WINDOWS\NDNuninstall7_22.exe
2006-07-11 13:27 380,928 C:\WINDOWS\system32\WinNB58.dll
2006-07-11 13:23 303,104 C:\WINDOWS\system32\WinNB57.dll
2006-07-11 13:21 8,464 C:\WINDOWS\system32\sporder.dll
2006-07-11 13:21 710,000 C:\WINDOWS\mgwdllg.exe
2006-07-11 13:21 409 C:\WINDOWS\tjlof.dll
2006-07-11 13:21 1,063 C:\WINDOWS\system32\zaqb791a.sys
2006-07-11 13:20 59,392 C:\WINDOWS\taskbmr.exe
2006-06-19 15:39 139,264 C:\WINDOWS\876056.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1124258803\\ee\\AOLSoftware.exe"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"ATI Launchpad"="\"C:\\Program Files\\ATI Multimedia\\main\\launchpd.exe\""
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,96,00,00,00,00,00,00,00,6a,04,00,00,00,04,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"kzfk"="C:\\PROGRA~1\\COMMON~1\\kzfk\\kzfkm.exe"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
"{A4437AED-0C78-1033-0114-050412210001}"="\"C:\\Program Files\\Common Files\\{A4437AED-0C78-1033-0114-050412210001}\\Update.exe\" mc-110-12-0000488"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"kzfk"="C:\\PROGRA~1\\COMMON~1\\kzfk\\kzfkm.exe"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]
"{A4437AED-0C78-1033-0114-050412210001}"="\"C:\\Program Files\\Common Files\\{A4437AED-0C78-1033-0114-050412210001}\\Update.exe\" mc-110-12-0000488"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""



Contents of the 'Scheduled Tasks' folder

Completion time: Mon 07/17/2006 18:57:52.71
ComboFix ver 06.07.16.2 - This logfile is located at C:\ComboFix.txt

ComboFix.txt

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:42 PM

Posted 18 July 2006 - 04:46 PM

Please open Notepad, and copy/paste the code in the box below into a new text file. Save it as fix.reg (set Filetype to "All Files") and save it on your Desktop.

REGEDIT4

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"kzfk"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
"{A4437AED-0C78-1033-0114-050412210001}"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"kzfk"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]
"{A4437AED-0C78-1033-0114-050412210001}"=-

Now Locate and DoubleClick fix.reg-> Allow it to merge into the Registry!


==============


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Click Tools -> Delete Temp Files
  • Place a check mark in all locations that aren't greyed out. By default they should already be checked.
  • Click Delete Selected Temp Files
  • When that complete select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\qoobox\unfiow.exe.vir
    C:\qoobox\lwvmo.exe.vir
    C:\qoobox\bqllww.dat.vir
    C:\WINDOWS\tjlof.dll
    C:\WINDOWS\system32\zaqb791a.sys
    C:\WINDOWS\ndnuninstall7_22.exe
    C:\WINDOWS\system32\winnb58.dll
    C:\WINDOWS\system32\winnb57.dll
    C:\WINDOWS\taskbmr.exe
    C:\ipod32.exe
    C:\WINDOWS\aupdate32.exe
    C:\WINDOWS\autoupdate.bat
    C:\WINDOWS\mgwdllg.exe
    C:\WINDOWS\876056.exe
    C:\PROGRA~1\COMMON~1\kzfk\kzfkm.exe



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
=============


Post a new hijackthis log.

I also need to see a different type of log from Hijackthis
  • Run Hijackthis.
  • Click on "Open the Misc Tools section".
  • Next click on "Open uninstall manager".
  • Press the button 'save list'. It will open a Notepad file.
  • Place the content of that file here in your in your next reply.

Edited by Buckeye_Sam, 18 July 2006 - 04:46 PM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 Redhead88

Redhead88
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 18 July 2006 - 06:40 PM

First that PendingFileRename box did not pop up. Here come the logs.

Pocket Killbox version 2.0.0.648
Running on Windows XP as Gurney(Administrator)
was started @ Tuesday, July 18, 2006, 6:30 PM

# 1 [Delete on Reboot]
Path = C:\qoobox\unfiow.exe.vir


# 2 [Delete on Reboot]
Path = C:\qoobox\lwvmo.exe.vir


# 3 [Delete on Reboot]
Path = C:\qoobox\bqllww.dat.vir


# 4 [Delete on Reboot]
Path = C:\WINDOWS\tjlof.dll


# 5 [Delete on Reboot]
Path = C:\WINDOWS\system32\zaqb791a.sys


# 6 [Delete on Reboot]
Path = C:\WINDOWS\ndnuninstall7_22.exe


# 7 [Delete on Reboot]
Path = C:\WINDOWS\system32\winnb58.dll


# 8 [Delete on Reboot]
Path = C:\WINDOWS\system32\winnb57.dll


# 9 [Delete on Reboot]
Path = C:\WINDOWS\taskbmr.exe


# 10 [Delete on Reboot]
Path = C:\WINDOWS\aupdate32.exe


# 11 [Delete on Reboot]
Path = C:\WINDOWS\autoupdate.bat


# 12 [Delete on Reboot]
Path = C:\WINDOWS\mgwdllg.exe


# 13 [Delete on Reboot]
Path = C:\WINDOWS\876056.exe


I Rebooted @ 6:33:12 PM
Killbox Closed(Exit) @ 6:33:24 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Gurney(Administrator)
was started @ Tuesday, July 18, 2006, 6:37 PM

Ad-Aware SE Personal
Adobe Acrobat 4.0
AOL Explorer
AOL Toolbar 2.0
AOL Uninstaller (Choose which Products to Remove)
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI DVD Decoder 2.2.0.0
ATI HydraVision
ATI Multimedia Center 8.1.0.0
ATI RADEON 9700 Car Paint Demo v1.1
AutoCAD 2006 - English
Call of Duty - United Offensive
Call of Duty® 2
Cheetah CD Burner
Creative MediaSource
Creative System Information
DAO
Dawn Of War - Winter Assault
DawnOfWar
DeadAIM
DivX
DivX Player
eMusic - 50 Free MP3 offer
ExtractNow
Fraps
GameSpy Arcade
Google Earth
HijackThis 1.99.1
HP Extended Capabilities 4.7
HP Image Zone 4.7
HP PSC & OfficeJet 4.7
HP Software Update
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
LimeWire 4.12.3
Lineage II
Linksys Wireless-G PCI Adapter
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Office Standard Edition 2003
mIRC
Mozilla Firefox (1.0.7)
MSN
MSN Messenger 7.5
MSXML 4.0 SP2 Parser and SDK
Nostromo Array Programming Software
QuickTime
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Sound Blaster Audigy 2
Spybot - Search & Destroy 1.4
TeamSpeak 2 RC2
Trillian
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Ventrilo Client
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Viewpoint Toolbar (Remove Only)
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
WinRAR archiver
Xfire (remove only)
ZoneAlarm

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:42 PM

Posted 18 July 2006 - 06:44 PM

Please click Start -> Control Panel -> Add/Remove Programs and uninstall these programs:

J2SE Runtime Environment 5.0 Update 3
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Viewpoint Toolbar (Remove Only)



================


Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
    Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
  • If you are unable to update you can manually update by going here:
  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
    Downloaded Applications
    Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.
===============


Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 Redhead88

Redhead88
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 18 July 2006 - 10:35 PM

Incident Status Location

Adware:adware/commad Not disinfected Windows Registry
Adware:adware/sidesearch Not disinfected Windows Registry
Adware:Adware/Maxifiles Not disinfected C:\!KillBox\aupdate32.exe
Spyware:Spyware/New.net Not disinfected C:\!KillBox\NDNuninstall7_22.exe
Virus:W32/Oscarbot.JD.worm Disinfected C:\!KillBox\taskbmr.exe
Adware:Adware/Mirar Not disinfected C:\!KillBox\WinNB57.dll
Adware:Adware/Mirar Not disinfected C:\!KillBox\WinNB58.dll
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Gurney\Application Data\Mozilla\Firefox\Profiles\ft16gkzj.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Gurney\Application Data\Mozilla\Firefox\Profiles\ft16gkzj.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Gurney\Application Data\Mozilla\Firefox\Profiles\ft16gkzj.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Gurney\Application Data\Mozilla\Firefox\Profiles\ft16gkzj.default\cookies.txt[.com.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Gurney\Application Data\Mozilla\Firefox\Profiles\ft16gkzj.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Gurney\Application Data\Mozilla\Firefox\Profiles\ft16gkzj.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Gurney\Application Data\Mozilla\Firefox\Profiles\ft16gkzj.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Gurney\Application Data\Mozilla\Firefox\Profiles\ft16gkzj.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Gurney\Application Data\Mozilla\Firefox\Profiles\ft16gkzj.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Gurney\Application Data\Mozilla\Firefox\Profiles\ft16gkzj.default\cookies.txt[adserver.filefront.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Gurney\Application Data\Mozilla\Firefox\Profiles\ft16gkzj.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Gurney\Application Data\Mozilla\Firefox\Profiles\ft16gkzj.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Gurney\Application Data\Mozilla\Firefox\Profiles\ft16gkzj.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Gurney\Application Data\Mozilla\Firefox\Profiles\ft16gkzj.default\cookies.txt[.findwhat.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Gurney\Application Data\Mozilla\Firefox\Profiles\ft16gkzj.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Gurney\Cookies\gurney@atdmt[1].txt
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Q1GVS3KH\115[1].net[direct3.exe]
Virus:Trj/Downloader.JMV Disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Q1GVS3KH\msmon[1].zip
Virus:Trj/Downloader.JMV Disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Q1GVS3KH\pendb[1].zip
Spyware:Spyware/SurfSideKick Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRYHYB2T\102[1].net[SSK3_B5.exe]
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRYHYB2T\115[1].net[direct3.exe]
Spyware:Spyware/Virtumonde Not disinfected C:\Program Files\Common Files\{A4437AED-0C78-1033-0114-050412210001}\services.dll
Spyware:Spyware/Virtumonde Not disinfected C:\Program Files\Common Files\{A4437AED-0C78-1033-0114-050412210001}\Update.exe
Adware:Adware/DollarRevenue Not disinfected C:\RECYCLER\S-1-5-18\Dc1.exe
Adware:Adware/DollarRevenue Not disinfected C:\RECYCLER\S-1-5-18\Dc10.exe
Adware:Adware/DollarRevenue Not disinfected C:\RECYCLER\S-1-5-18\Dc3.exe
Virus:Trj/Downloader.JMJ Disinfected C:\RECYCLER\S-1-5-18\Dc5.exe
Virus:Trj/Downloader.JMV Disinfected C:\RECYCLER\S-1-5-18\Dc6.com
Adware:Adware/DollarRevenue Not disinfected C:\RECYCLER\S-1-5-18\Dc8.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\SmFjaw\mAI3uT.vbs

Logfile of HijackThis v1.99.1
Scan saved at 10:34:46 PM, on 7/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\AOL\1124258803\ee\AOLSoftware.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Gurney\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124258803\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Mobile Task Scheduler (MBST) - Unknown owner - C:\WINDOWS\taskbmr.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:42 PM

Posted 19 July 2006 - 08:35 AM

Delete these folders.

C:\Program Files\Common Files\{A4437AED-0C78-1033-0114-050412210001}
C:\WINDOWS\SmFjaw



=============


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.



=============


Click Start > Run and type these commands hitting enter after each one:

sc stop MBST

sc delete MBST



=============


Reboot and post a new hijackthis log.
Let me know how things are working on your end.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 Redhead88

Redhead88
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 19 July 2006 - 05:31 PM

I was unable to find C:\WINDOWS\SmFjaw, neither could Search, I don't think it exists. Otherwise, things seem to be running ok to my very un-trained eye, not completely sure. The machine doesn't seem to be experiencing any detrimental performance, but, again, I'm really not 100% sure.

Logfile of HijackThis v1.99.1
Scan saved at 5:30:06 PM, on 7/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\PCARmDrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Gurney\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124258803\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:42 PM

Posted 20 July 2006 - 11:37 AM

I was unable to find C:\WINDOWS\SmFjaw, neither could Search, I don't think it exists. Otherwise, things seem to be running ok to my very un-trained eye, not completely sure. The machine doesn't seem to be experiencing any detrimental performance, but, again, I'm really not 100% sure.

It's there, just hidden from view.
  • Click Start -> My Computer
  • Select Tools -> Folder options
  • Select the View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.
  • Also make sure that 'Display the contents of system folders' is checked.
  • Make sure "Hide extensions for known file types" is unchecked
  • Make sure "Hide protected operating system files (recommended)" is unchecked
  • For more info on how to show hidden files click here.
Now you should be able to see it and delete it.
Let me know how it goes.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 Redhead88

Redhead88
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 20 July 2006 - 11:52 AM

When I get home from work and try that step again, would you like me to redo the other steps in that post?

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:42 PM

Posted 20 July 2006 - 11:59 AM

No, you shouldn't have to do anything other than just delete that folder.

Although you can run ATF Cleaner on a regular basis to keep your temp files from building up. It's a good program. I use it almost daily myself.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users