Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Spy Sheriff, Smitfraud, Torpig, System Doctor2006, And A Few Others


  • This topic is locked This topic is locked
19 replies to this topic

#1 fowzee

fowzee

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 18 July 2006 - 05:33 AM

Hi,

Basically, I have been infected with a whole host of malware/spyware/viruses etc. and I have had to physically disconnect my computer from the Internet in order to prevent more malware from being downloaded to my computer.

I scanned my computer with Ad-Aware and Spybot S&D multiple times (all while physically disconnected from the Internet). I also booted up in Safe-Mode (while disconnected from the Internet) and ran SmitFraudFix. It took approximately half a dozen times before scans with Ad-Aware, Spybot, and SmitFraudFix came up clean. Some of the things detected (and removed) by these three programs were:

SpyDoctor2006
SmitFraud
SpySheriff
Torpig
Slogger
Pipas.A
and various Trojan Downloaders etc.

I then re-connected to the Internet to try to download Bit Defender and noticed Internet Explorer's Menu Bar was not visible (i.e. File/Edit/View/Favorites/Tools/Help), which made me realize I was still infected with stuff. Also, downloading was extremely slow (I'm on ADSL). I immediately disconnected from the Internet, booted up my computer, re-ran Spybot/Ad-Aware/SmitFraudFix and found out I was re-infected with much of the same stuff I had just cleaned. So it seems Spybot/Ad-Aware/SmitFraudFix missed something important and whatever they missed is still downloading heaps of stuff onto my harddrive when I connect to the Internet.

So while my computer appears 100% clean now (according to Spybot/Ad-Aware/SmitFraudFix), I know there is still a big problem and that is why I am posting my HijackThis log here.

I should also note that I killed the C:\whkqqmr.exe process and deleted the associated file (subsequent to generating the HijackThis log I'm about to post). Additionally, I tried to download Bit Defender from my university's computer lab and I put the install file on my memory stick but when I tried to bring it home and install it on my infected computer it wouldn't let me. Also, I cannot use Ewido as I have already used it once before and my "trial period" has expired.

I am writing this post from my university computer lab since I cannot (safely) connect to the Internet from my home computer. Any help would be greatly appreciated! Here is a copy of my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:01:21 PM, on 7/18/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\663a9a7a.exe
C:\WINDOWS\System32\ctfmon.exe
C:\whkqqmr.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {5704CEC5-5B29-93F1-91C1-7029C1487D30} - corrida.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {87185E78-A61B-4DB3-965A-3235BBD7A622} - C:\WINDOWS\system32\win32hp.dll
O2 - BHO: (no name) - {F484C398-C71D-4482-8700-A9CCE5D2A0BE} - C:\WINDOWS\system32\win32hp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [win32hp] C:\WINDOWS\System32\win32hlp.exe
O4 - HKLM\..\Run: [663a9a7a.exe] C:\WINDOWS\System32\663a9a7a.exe
O4 - HKLM\..\Run: [prgsys0984] bnui.exe
O4 - HKLM\..\Run: [dmbtr.exe] C:\WINDOWS\System32\dmbtr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [stup] C:\whkqqmr.exe
O4 - HKCU\..\Run: [663a9a7a.exe] C:\Documents and Settings\Tony\Local Settings\Application Data\663a9a7a.exe
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [barint] sbin.exe
O4 - HKCU\..\Run: [ActionScr] zxc.exe
O4 - HKCU\..\Run: [trycrt] typeconf.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: ppctlcab - http://69.44.122.156/scanner/ppctlcab.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.1.74.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0625409-FA63-4047-96D2-D1E3333E3A91}: NameServer = 85.255.115.3,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{DEABBD5E-9F09-48F9-B560-3D88EBDE5384}: NameServer = 85.255.115.3,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0B017EE-218D-4686-B51C-5825403B7521}: NameServer = 85.255.115.3,85.255.112.11
O17 - HKLM\System\CS7\Services\Tcpip\Parameters: NameServer = 85.255.115.3 85.255.112.11
O17 - HKLM\System\CS8\Services\Tcpip\Parameters: NameServer = 85.255.115.3 85.255.112.11
O17 - HKLM\System\CS9\Services\Tcpip\Parameters: NameServer = 85.255.115.3 85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.3 85.255.112.11
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: emldvc - C:\WINDOWS\SYSTEM32\emldvc.dll
O20 - Winlogon Notify: se500mdm - C:\WINDOWS\SYSTEM32\se500mdm.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


Regards,

Anthony

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:30 AM

Posted 19 July 2006 - 01:18 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log into this topic.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 fowzee

fowzee
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 20 July 2006 - 10:18 AM

Hi Sam,

Thanks in advance for the help. Here is the Fixwareout report:

Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\hdpmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\owt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmpdh.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
Other suspects
Directory of C:\WINDOWS\system32
{49582767-1333-49BF-8C58-2C25F4DB0F32}.exe

============================================================================================

And here is the HJT log (after running Fixwareout):

Logfile of HijackThis v1.99.1
Scan saved at 8:16:52 PM, on 7/20/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\663a9a7a.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {5704CEC5-5B29-93F1-91C1-7029C1487D30} - corrida.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {87185E78-A61B-4DB3-965A-3235BBD7A622} - C:\WINDOWS\system32\win32hp.dll
O2 - BHO: (no name) - {F484C398-C71D-4482-8700-A9CCE5D2A0BE} - C:\WINDOWS\system32\win32hp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [win32hp] C:\WINDOWS\System32\win32hlp.exe
O4 - HKLM\..\Run: [663a9a7a.exe] C:\WINDOWS\System32\663a9a7a.exe
O4 - HKLM\..\Run: [prgsys0984] bnui.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [stup] C:\whkqqmr.exe
O4 - HKCU\..\Run: [663a9a7a.exe] C:\Documents and Settings\Tony\Local Settings\Application Data\663a9a7a.exe
O4 - HKCU\..\Run: [barint] sbin.exe
O4 - HKCU\..\Run: [ActionScr] zxc.exe
O4 - HKCU\..\Run: [trycrt] typeconf.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: ppctlcab - http://69.44.122.156/scanner/ppctlcab.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.1.74.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0625409-FA63-4047-96D2-D1E3333E3A91}: NameServer = 85.255.115.3,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{DEABBD5E-9F09-48F9-B560-3D88EBDE5384}: NameServer = 85.255.115.3,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0B017EE-218D-4686-B51C-5825403B7521}: NameServer = 85.255.115.3,85.255.112.11
O17 - HKLM\System\CS7\Services\Tcpip\Parameters: NameServer = 85.255.115.3 85.255.112.11
O17 - HKLM\System\CS8\Services\Tcpip\Parameters: NameServer = 85.255.115.3 85.255.112.11
O17 - HKLM\System\CS9\Services\Tcpip\Parameters: NameServer = 85.255.115.3 85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.3 85.255.112.11
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: emldvc - C:\WINDOWS\SYSTEM32\emldvc.dll
O20 - Winlogon Notify: se500mdm - C:\WINDOWS\SYSTEM32\se500mdm.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

============================================================================================

Just a question: Is it safe for me to connect to the Internet now for the purpose of downloading the spyware removal tools we will need to disinfect my computer? The reason I ask is that I am currently downloading these files from a lab, walking 30 minutes back home, installing the files on my computer, then walking 30 minutes back to the lab to post the results on this forum. Its not a big deal, but I figured I'd ask just to see.

-Anthony

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:30 AM

Posted 20 July 2006 - 01:02 PM

Yes, it's ok. You still have active malware on your computer and you'll have to deal with some popups while we get you fixed up, but it won't hurt your computer.

Please download and run these two tools, in this order and post their respective logs in your next reply.



Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.



===============


Please download Ewido Anti-spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode and post the results of the ewido scan report along with a new hijackthis log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 fowzee

fowzee
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 20 July 2006 - 01:19 PM

Hi Sam,

My Ewido free-trial period has already expired as a result of a previous infection (unfortunately, I share my computer with roommates and didn't have time to install any protection after the last infection). Is there an alternative to Ewido?

-Anthony

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:30 AM

Posted 20 July 2006 - 05:57 PM

When the trial of Ewido is over the program still works. You just lose some of the advanced functionality. But you can still update the program and complete a scan.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 fowzee

fowzee
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 21 July 2006 - 01:02 AM

Hi Sam,

I had problems running Combofix and the following message appeared:

"Unable to run com files !! Possible rootkit inteference. Tell this to the forum helper. Combofix will now exit"

Tried rebooting a few times and running it and tried running it after the Ewido scan with the same results.

==========================================

Here is my first Ewido scan log (before updating the virus definitions):

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:29:50 PM, 7/21/2006
+ Report-Checksum: 7767AFFA

+ Scan result:

[592] C:\WINDOWS\system32\se500mdm.dll -> Logger.Goldun.kc : Cleaned with backup
[1100] C:\WINDOWS\System32\se500mdm.dll -> Logger.Goldun.kc : Error during cleaning
[1244] C:\WINDOWS\system32\se500mdm.dll -> Logger.Goldun.kc : Error during cleaning
[1352] C:\WINDOWS\System32\se500mdm.dll -> Logger.Goldun.kc : Error during cleaning
[1372] C:\WINDOWS\System32\se500mdm.dll -> Logger.Goldun.kc : Error during cleaning
[1400] C:\WINDOWS\System32\se500mdm.dll -> Logger.Goldun.kc : Error during cleaning
[1432] C:\WINDOWS\System32\se500mdm.dll -> Logger.Goldun.kc : Error during cleaning
[1520] C:\WINDOWS\System32\se500mdm.dll -> Logger.Goldun.kc : Error during cleaning
[1556] C:\WINDOWS\System32\se500mdm.dll -> Logger.Goldun.kc : Error during cleaning
[1612] C:\WINDOWS\System32\se500mdm.dll -> Logger.Goldun.kc : Error during cleaning
[1648] C:\WINDOWS\System32\se500mdm.dll -> Logger.Goldun.kc : Error during cleaning
[1824] C:\WINDOWS\System32\se500mdm.dll -> Logger.Goldun.kc : Error during cleaning
[2008] C:\WINDOWS\System32\se500mdm.dll -> Logger.Goldun.kc : Error during cleaning
[2036] C:\WINDOWS\System32\se500mdm.dll -> Logger.Goldun.kc : Error during cleaning
[156] C:\WINDOWS\System32\se500mdm.dll -> Logger.Goldun.kc : Error during cleaning
[176] C:\WINDOWS\System32\se500mdm.dll -> Logger.Goldun.kc : Error during cleaning
[204] C:\WINDOWS\System32\se500mdm.dll -> Logger.Goldun.kc : Error during cleaning
[268] C:\WINDOWS\System32\se500mdm.dll -> Logger.Goldun.kc : Error during cleaning
[1748] C:\WINDOWS\System32\se500mdm.dll -> Logger.Goldun.kc : Error during cleaning
C:\Program Files\Internet Explorer\lock.exe -> Downloader.Delf.ang : Cleaned with backup


::Report End

Here is my second Ewido scan (after updating virus definitions):

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:54:42 PM, 7/21/2006
+ Report-Checksum: 37701B86

+ Scan result:

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.dll -> Trojan.Sinowal.ae : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00004.dll -> Trojan.Sinowal.ae : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\_ibm00003.exe -> Trojan.Sinowal.ae : Cleaned with backup
C:\WINDOWS\system32\552.exe -> Downloader.Delf.ang : Cleaned with backup
C:\WINDOWS\system32\bfckplle.exe -> Proxy.Wopla.y : Cleaned with backup
C:\WINDOWS\system32\blfpboeb.exe -> Proxy.Wopla.y : Cleaned with backup
C:\WINDOWS\system32\cmkkkalq.exe -> Proxy.Wopla.y : Cleaned with backup
C:\WINDOWS\system32\emldvc.dll -> Logger.Goldun.kt : Cleaned with backup
C:\WINDOWS\system32\ib14.dll -> Downloader.Banload.avj : Cleaned with backup
C:\WINDOWS\system32\kaielnno.exe -> Proxy.Wopla.y : Cleaned with backup
C:\WINDOWS\system32\olblbbdc.exe -> Proxy.Wopla.y : Cleaned with backup
C:\WINDOWS\system32\win32hlp.exe -> Downloader.Delf.ang : Cleaned with backup
C:\WINDOWS\system32\win32hp.dll -> Adware.BHO : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__se500mdm.dll -> Logger.Goldun.kc : Cleaned with backup


::Report End

============================================

Things are looking better already - my menu bar is back on IE and much less pop-ups.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:30 AM

Posted 21 July 2006 - 04:07 PM

Did you try to run Combofix after the second Ewido scan? If not, try it again now and see if it runs for you.

I also need to see a fresh hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 fowzee

fowzee
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 21 July 2006 - 05:03 PM

I must not have - it worked this time. Or maybe it was the reboot. Anyways, here is my ComboFix Log:

Start Time= Sat 07/22/2006 7:51:11.31
Running from: C:\Documents and Settings\Tony\Desktop

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))



Rootkit driver pe386 is present. A rootkit scan is required

2006-07-21 16:03 <DIR> C:\Program Files\ewido anti-malware
2006-07-21 15:29 <DIR> C:\Program Files\internet explorer
2006-07-20 20:16 <DIR> C:\Program Files\hijackthis
2006-07-19 03:52 970 C:\WINDOWS\win.ini
2006-07-19 03:52 <DIR> C:\Program Files\softwin
2006-07-19 03:52 <DIR> C:\Program Files\Common Files\softwin
2006-07-19 03:52 <DIR> C:\Program Files\common files
2006-07-18 14:09 62,812 C:\WINDOWS\system32\lzx32.sys
2006-07-17 19:12 <DIR> C:\Program Files\spybot - search & destroy
2006-07-17 18:05 424,718 C:\WINDOWS\system32\{49582767-1333-49bf-8c58-2c25f4db0f32}.exe
2006-07-16 23:54 6,896 C:\WINDOWS\system32\se500mdmd.sys
2006-07-16 02:54 <DIR> C:\Program Files\lavasoft
2006-07-16 02:54 <DIR> C:\Documents and Settings\Tony\Application Data\lavasoft
2006-07-15 10:06 1,125 C:\WINDOWS\winamp.ini
2006-06-28 21:56 <DIR> C:\Program Files\ipod
2006-06-06 14:21 5,120 C:\WINDOWS\cpu.exe
2006-05-28 19:37 <DIR> C:\Program Files\icuii5


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-18 18:57 1,073,074,176 C:\hiberfil.sys
2006-07-17 22:25 21,504 C:\WINDOWS\system32\663a9a7a.exe
2006-07-17 18:05 424,718 C:\WINDOWS\system32\{49582767-1333-49BF-8C58-2C25F4DB0F32}.exe
2006-07-16 23:54 6,896 C:\WINDOWS\system32\se500mdmd.sys
2006-07-16 02:42 62,812 C:\WINDOWS\system32\lzx32.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"663a9a7a.exe"="C:\\WINDOWS\\System32\\663a9a7a.exe"
"prgsys0984"="bnui.exe"
"BDMCon"="\"C:\\Program Files\\Softwin\\BitDefender8\\bdmcon.exe\""
"BDNewsAgent"="\"C:\\Program Files\\Softwin\\BitDefender8\\bdnagent.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"stup"="C:\\whkqqmr.exe"
"663a9a7a.exe"="C:\\Documents and Settings\\Tony\\Local Settings\\Application Data\\663a9a7a.exe"
"barint"="sbin.exe"
"ActionScr"="zxc.exe"
"trycrt"="typeconf.exe"
"shell"="\"C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\ibm00003.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"Register Homesite+.exe"="\"C:\\Program Files\\Macromedia\\HomeSite+\\Homesite+.exe\" /REGSERVER"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AHQInit]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AHQInit"
"hkey"="HKLM"
"command"="C:\\Program Files\\Creative\\SBLive\\Program\\AHQInit.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTRegRun]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTRegRun"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\CTRegRun.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTSysVol"
"hkey"="HKLM"
"command"="C:\\Program Files\\Creative\\SB Live! 24-bit\\Surround Mixer\\CTSysVol.exe /r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IMJPMIG"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdReg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\UpdReg.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViewMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="vptray"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"inimapping"="0"



Contents of the 'Scheduled Tasks' folder

Completion time: Sat 07/22/2006 7:52:49.46
ComboFix ver 06.07.20 - This logfile is located at C:\ComboFix.txt

ComboFix.txt

==========================================================================================================================================

And here is my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:56:56 AM, on 7/22/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\663a9a7a.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
c:\program files\softwin\bitdefender8\bdmcon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {5704CEC5-5B29-93F1-91C1-7029C1487D30} - corrida.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {87185E78-A61B-4DB3-965A-3235BBD7A622} - C:\WINDOWS\system32\win32hp.dll (file missing)
O2 - BHO: (no name) - {F484C398-C71D-4482-8700-A9CCE5D2A0BE} - C:\WINDOWS\system32\win32hp.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [663a9a7a.exe] C:\WINDOWS\System32\663a9a7a.exe
O4 - HKLM\..\Run: [prgsys0984] bnui.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [stup] C:\whkqqmr.exe
O4 - HKCU\..\Run: [663a9a7a.exe] C:\Documents and Settings\Tony\Local Settings\Application Data\663a9a7a.exe
O4 - HKCU\..\Run: [barint] sbin.exe
O4 - HKCU\..\Run: [ActionScr] zxc.exe
O4 - HKCU\..\Run: [trycrt] typeconf.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: ppctlcab - http://69.44.122.156/scanner/ppctlcab.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.1.74.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0625409-FA63-4047-96D2-D1E3333E3A91}: NameServer = 85.255.115.3,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{DEABBD5E-9F09-48F9-B560-3D88EBDE5384}: NameServer = 85.255.115.3,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0B017EE-218D-4686-B51C-5825403B7521}: NameServer = 85.255.115.3,85.255.112.11
O17 - HKLM\System\CS7\Services\Tcpip\Parameters: NameServer = 85.255.115.3 85.255.112.11
O17 - HKLM\System\CS8\Services\Tcpip\Parameters: NameServer = 85.255.115.3 85.255.112.11
O17 - HKLM\System\CS9\Services\Tcpip\Parameters: NameServer = 85.255.115.3 85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.3 85.255.112.11
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: emldvc - emldvc.dll (file missing)
O20 - Winlogon Notify: se500mdm - se500mdm.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Edited by fowzee, 21 July 2006 - 05:07 PM.


#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:30 AM

Posted 21 July 2006 - 08:03 PM

Please follow these steps:
  • Please make sure that you can View Hidden Files
    • Click Start -> My Computer
    • Select Tools -> Folder options
    • Select the View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.
    • Also make sure that 'Display the contents of system folders' is checked.
    • Make sure "Hide extensions for known file types" is unchecked
    • Make sure "Hide protected operating system files (recommended)" is unchecked
    • For more info on how to show hidden files click here.
  • Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.


    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {5704CEC5-5B29-93F1-91C1-7029C1487D30} - corrida.dll (file missing)
    O2 - BHO: (no name) - {87185E78-A61B-4DB3-965A-3235BBD7A622} - C:\WINDOWS\system32\win32hp.dll (file missing)
    O2 - BHO: (no name) - {F484C398-C71D-4482-8700-A9CCE5D2A0BE} - C:\WINDOWS\system32\win32hp.dll (file missing)
    O4 - HKLM\..\Run: [663a9a7a.exe] C:\WINDOWS\System32\663a9a7a.exe
    O4 - HKLM\..\Run: [prgsys0984] bnui.exe
    O4 - HKCU\..\Run: [stup] C:\whkqqmr.exe
    O4 - HKCU\..\Run: [663a9a7a.exe] C:\Documents and Settings\Tony\Local Settings\Application Data\663a9a7a.exe
    O4 - HKCU\..\Run: [barint] sbin.exe
    O4 - HKCU\..\Run: [ActionScr] zxc.exe
    O4 - HKCU\..\Run: [trycrt] typeconf.exe
    O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
    O16 - DPF: ppctlcab - <a href="http://69.44.122.156/scanner/ppctlcab.cab" target="_blank">http://69.44.122.156/scanner/ppctlcab.cab</a>
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D0625409-FA63-4047-96D2-D1E3333E3A91}: NameServer = 85.255.115.3,85.255.112.11
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DEABBD5E-9F09-48F9-B560-3D88EBDE5384}: NameServer = 85.255.115.3,85.255.112.11
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F0B017EE-218D-4686-B51C-5825403B7521}: NameServer = 85.255.115.3,85.255.112.11
    O17 - HKLM\System\CS7\Services\Tcpip\Parameters: NameServer = 85.255.115.3 85.255.112.11
    O17 - HKLM\System\CS8\Services\Tcpip\Parameters: NameServer = 85.255.115.3 85.255.112.11
    O17 - HKLM\System\CS9\Services\Tcpip\Parameters: NameServer = 85.255.115.3 85.255.112.11
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.3 85.255.112.11
    O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
    O20 - Winlogon Notify: emldvc - emldvc.dll (file missing)
    O20 - Winlogon Notify: se500mdm - se500mdm.dll (file missing)
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)



  • Please reboot your computer in SafeMode by doing the following:
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    • Instead of Windows loading as normal, a menu should appear
    • Select the first option, to run Windows in Safe Mode.
    • If you have trouble getting into Safe mode go here for more info.
  • Once in Safe mode, delete these files or directories (Do not be concerned if they do not exist):


    C:\WINDOWS\cpu.exe
    C:\WINDOWS\system32\lzx32.sys
    C:\WINDOWS\system32\{49582767-1333-49bf-8c58-2c25f4db0f32}.exe
    C:\WINDOWS\system32\se500mdmd.sys
    C:\WINDOWS\System32\663a9a7a.exe
    C:\Documents and Settings\Tony\Local Settings\Application Data\663a9a7a.exe
    C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
    C:\Program Files\Common Files\Microsoft Shared\Web Folders <-- delete all files beginning with ibm0000 that are found within this folder


  • Delete your temp files
    • Navigate to the C:\Windows\Temp folder.
    • Open the Temp folder
    • Select Edit -> Select All
    • Select Edit -> Delete(or press the delete button on your keyboard) to delete the entire contents of the Temp folder.
  • Navigate to the C:\Windows\Prefetch folder.
    • Open the Prefetch folder
    • Select Edit -> Select All
    • Select Edit -> Delete(or press the delete button on your keyboard) to delete the entire contents of the Temp folder.
  • Click Start -> Run and type %temp% in the Run box.
    • Select Edit -> Select All
    • Select Edit -> Delete(or press the delete button on your keyboard) to delete the entire contents of the Temp folder.
  • Click Start -> Control Panel -> Internet Options.
    • Select the General tab
    • Under "Temporary Internet Files" Click "Delete Files".
    • Put a check by "Delete Offline Content" and click OK.
    • Click on the Programs tab then click the "Reset Web Settings" button.
    • Click Apply then OK.
  • Empty the Recycle Bin.
Reboot your computer to go back to normal mode.


Now lets check some settings on your system.
  • Enter your Control Panel and double-click on Network Connections
  • Then right click on your Default Connection
    • Usually Local Area Connection for Cable and DSL
  • Left click on Properties
  • Double-Click on the Internet Protocol (TCP/IP) item
  • Select the radio dial that says Obtain DNS Servers Automatically
  • Press OK twice to get out of the properties screen and reboot if it asks
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)



===============


Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

Edited by Buckeye_Sam, 21 July 2006 - 08:04 PM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 fowzee

fowzee
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 22 July 2006 - 04:56 AM

Alright, there were two things of note:

1) I could not delete -> C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll and it was actually located at C:\Documents and Settings\All Users\Shared Documents\Settings\artm_new.dll

It said that a process or program was currently using it.

2) There were 0 ibm0000* files in C:\Program Files\Common Files\Microsoft Shared\Web Folders\

=====================================================================

Here is my ActiveScan report:


Incident Status Location

Adware:adware/vog Not disinfected c:\program files\internet explorer\update.exe
Potentially unwanted tool:application/myway Not disinfected hkey_classes_root\clsid\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:adware/cws Not disinfected Windows Registry
Potentially unwanted tool:application/kill&clean Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{BF69DF00-2734-477F-8257-27CD04F88779}
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Tony\Cookies\tony@ad.sensismediasmart.com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Tony\Cookies\tony@doubleclick[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Tony\Desktop\SmitfraudFix\Process.exe
Virus:W32/HLLC.Fufa.A Disinfected C:\Program Files\Aussie Résumés\arw40.exe
Virus:Trj/Ruins.MB Disinfected C:\WINDOWS\system32\dmpdh.exe
Potentially unwanted tool:Application/BrilliantDigital Not disinfected E:\Program Files\KaZaA\bdcore.dll
=====================================================================

And here is my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:54:44 PM, on 7/22/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bigpond.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.1.74.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:30 AM

Posted 22 July 2006 - 09:04 AM

Fix this line with Hijackthis.

O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll


=============


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Delete Temp Files
    • Click Tools -> Delete Temp Files
    • Place a check mark in all locations that aren't greyed out. By default they should already be checked.
    • Click Delete Selected Temp Files
  • Once that completes, select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
    C:\Documents and Settings\All Users\Shared Documents\Settings\artm_new.dll
    c:\program files\internet explorer\update.exe
    C:\Program Files\Aussie Résumés\arw40.exe
    C:\WINDOWS\system32\dmpdh.exe
    E:\Program Files\KaZaA\bdcore.dll



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
Please post a new hijackthis log and let me know of any problems that you are still having.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 fowzee

fowzee
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 22 July 2006 - 09:38 AM

Hi Sam,

I ran KillBox and it deleted everything except the following three items (which it wouldn't let me paste into the pathname field):

C:\Documents and Settings\All Users\Shared Documents\Settings\artm_new.dll
C:\Program Files\Aussie Résumés\arw40.exe
C:\WINDOWS\system32\dmpdh.exe

When I looked for the above three files (before and after rebooting) they were not there, so I'm assuming that's why I KillBox wouldn't accept them. Also, there was NO "PendingFileRenameOperations prompt."

Here is my KillBox log:

Pocket Killbox version 2.0.0.648
Running on Windows XP as Tony(Administrator)
was started @ Sunday, July 23, 2006, 12:16 AM

# 1 [Delete on Reboot]
Path = C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll


# 2 [Delete on Reboot]
Path = C:\Program Files\Internet Explorer\update.exe


# 3 [Delete on Reboot]
Path = E:\Program Files\KaZaA\bdcore.dll


I Rebooted @ 12:25:00 AM
Killbox Closed(Exit) @ 12:25:01 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Tony(Administrator)
was started @ Sunday, July 23, 2006, 12:26 AM

==========================================================================================================================================

Here is my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:32:42 AM, on 7/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

I seem to have no other problems, but if possible I would like to tidy up my HJT log further. For example, that 020 line still shows the artm_new.dll file (even though it says the file is missing). What do you think?

-Anthony

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:30 AM

Posted 22 July 2006 - 09:27 PM

Absolutely correct! :thumbsup:

Fix this line with Hijackthis.

O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll (file missing)


Reboot and let me know if everything is still working well for you.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 fowzee

fowzee
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 22 July 2006 - 09:49 PM

Yep - rebooted and everything looks great. Didn't think my computer would ever be normal again :thumbsup:. Thanks tons!

Is there any recommended (free) software I should install to make sure it doesn't get infected again?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users