Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trying To Fix The Worst Pc Ever, Please Help


  • This topic is locked This topic is locked
11 replies to this topic

#1 Kiafi

Kiafi

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 27 July 2006 - 07:24 PM

Hello all, trying to disinfect my girlfriend's computer, I've installed Ad-Aware, Spybot, and Kaspersky Auto Virus. With msconfig and the task manager I see a bunch of processes that I have no idea what they are, and some of them have no result on google, which is making this all that much harder to fix. I'm pretty sure there are multiple trojans and even if I delete them (assuming I can see them,) they come back. If I uncheck things in the startup menu, they recheck. Every time I open up Internet Explorer or Mozilla Firefox, the site immediately changes to a random advertisement page. Also, when the internet is connected, the laptop recieves random popups at random times to more advertisement pages. Certain trojans that are detected will delete, but come right back, and even if the program says it will delete on startup, it fails, and it's still there with another virus check. I cannot do online virus checks due to IE and Mozilla not working.

I already found surfsidekick and fixed it using this site, I dont know what the rest of the trojans even are. I believe surfsidekick is all gone, I could be wrong. Some of the processes that I have seen are:

explorer.exe (Not bad)
rundll32.exe (Not sure if this is bad)
afhcp.exe (This appears 3 times at once)
jvpxpt.exe (Sometimes appears 2 times at once)
bdcyv.exe

pdpxgcr.dll was found by Kaspersky Auto Virus, as was some of the above processes.

If anybody can help with this I will be eternally grateful.

Logfile of HijackThis v1.99.1
Scan saved at 4:54:00 PM, on 7/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\afhcp.exe
F2 - REG:system.ini: UserInit=userinit.exe,kbngayh.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\m828lifu1828.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: rundll.exe - Unknown owner - C:\WINDOWS\rundll.exe (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:14 PM

Posted 28 July 2006 - 03:53 AM

Hello,
Please don't start with fixing items yourself, because this is confusing and I see you already fixed some entries.... so the log won't show it anymore what we have to manually delete.
I also see that you have Kaspersky and Norton installed. This is a very bad combination and can actually crash your system. So I recommend you get rid of Norton or Kaspersky.

It is important you don't miss a step and perform everything in the right order!!

Go to your controlpanel > software > add/remove programs and look if NewDotNet, New.Net, New.Net Applications or New.Net Domains is present and choose to uninstall.
If not present, Download and use this uninstaller.
* Please make sure your anti-virus and anti-spy ware programs don't hinder the complete removal of the new.net software. In case they interfere, temporary disable them.
Reboot afterwards! Important!!!

* Download Brute Force Uninstaller.
Unzip it to a folder of it’s own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script
( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

--------------------

Please download, install, and update Ewido anti-spyware
  • Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close Ewido and reboot!!
    I need the log later.
-------------------------

* Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog and the log from Ewido.
You may need several replies to post the logs.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Kiafi

Kiafi
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 28 July 2006 - 06:53 PM

I see no NewDotNet, New.Net, New.Net Applications or New.Net Domains in the Control Panel, and that link does not work, I cannot find nnuninstall.exe anywhere online. Should I continue with the rest of the things you said?

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:14 PM

Posted 28 July 2006 - 08:06 PM

The link does work though, I just tried it, but it's your antivirus interfering and deleting that uninstaller or blocking access.

Just try again and if it still won't work, proceed with the rest of my steps.
It could however be possible that after performing these steps, without uninstalling NewDotNet, that one of the scanners delete the dll related with NewDotNet, which may result in the loss of your internet connection.

In case you don't have any internetconnection after performing above steps, perform next to fix it:

Go to start > run and type cmd
A dos Window will appear.
Type next in the dos window: netsh winsock reset
hit enter and reboot.

This should solve your broken connection.

Edited by miekiemoes, 28 July 2006 - 08:07 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Kiafi

Kiafi
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 30 July 2006 - 04:02 AM

Did all that you asked, although combofix didnt save a log, it opened a txt with a date and where it was starting from, and that's all. The background was gone, and I left it all night. Should I do this again?

The program seemed to do something, at least. Here's the two other logs:

Logfile of HijackThis v1.99.1
Scan saved at 4:53:03 AM, on 7/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\hijackthis\HijackThis.exe

O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: rundll.exe - Unknown owner - C:\WINDOWS\rundll.exe (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

-------------------------------------------------------------

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:08:41 AM 7/30/2006

+ Scan result:



HKU\S-1-5-21-484763869-725345543-1691626490-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{364B6276-C6C1-40B6-A6D7-6C48871FD707} -> Adware.Accoona : Cleaned with backup (quarantined).
HKU\S-1-5-21-484763869-725345543-1691626490-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{944864A5-3916-46E2-96A9-A2E84F3F1208} -> Adware.Accoona : Cleaned with backup (quarantined).
C:\WINDOWS\icont.exe -> Adware.AdURL : Cleaned with backup (quarantined).
C:\WINDOWS\pjoydhbs.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\stub_sca3.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Interface\{8C88AAE2-A341-4DE8-B064-062194307E5F} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Interface\{C28EB22A-6966-4E4B-8592-E84C28D38402} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TypeLib\{506146FD-9499-49A8-AEDE-692C173B2AA4} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TypeLib\{B1C54189-72F0-4353-987B-18FA221BEF09} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TrustIn Popups -> Adware.Generic : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\TrustIn -> Adware.Generic : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\TrustIn\Search Results Spoofer -> Adware.Generic : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\TrustIn\Search Results Spoofer\se -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\TrustIn -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\TrustIn\Search Results Spoofer -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\TrustIn\Search Results Spoofer\se -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-484763869-725345543-1691626490-1003\Software\TrustIn -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-484763869-725345543-1691626490-1003\Software\TrustIn\Contextual Ads -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-484763869-725345543-1691626490-1003\Software\TrustIn\Search Results Spoofer -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-484763869-725345543-1691626490-1003\Software\TrustIn\Search Results Spoofer\se -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-484763869-725345543-1691626490-1003\Software\TrustIn\Weekly Executer -> Adware.Generic : Cleaned with backup (quarantined).
C:\WINDOWS\system32\MDC42ENU.DLL -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\aza2l19o1.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\c600lgdm160a.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cfnsole.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\e0jmla111d.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\f6j2lg1o16.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\fpjm0311e.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\fpro0393e.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\gpj6l31s1.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\h8l20i3oe8.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\hrlq0535e.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\i4600ejmehoa0.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\i824lifq182e.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\i8lo0i33e8.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ihxmontr.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kddblr.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kfymgr.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kldpo.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kt4ml7h11.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\l0r0la9m1d.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lv6809jue.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\m0rmla911d.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mdjet40.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mvn4l95q1.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mvrui.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\n04s0ah7ed4.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\nUrrhook.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\nXrrhook.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\o6lu0g39e6.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\pddx5032.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\psotowiz.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\q4rqle951h.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\r28slcl71fq.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rLsapi32.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rrvpmsg.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\s4pu0e79eh.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\sfcur32.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\sgns.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\smsinv.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\swcfiles.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\vbmredir.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wdbclnt.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wlavideo.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wlvdmoe.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
[2492] C:\WINDOWS\system32\tmrmmgr.dll -> Adware.Look2Me : Error during cleaning.
[2684] C:\WINDOWS\system32\tmrmmgr.dll -> Adware.Look2Me : Error during cleaning.
HKU\S-1-5-21-484763869-725345543-1691626490-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A19EF336-01D4-48E6-926A-FE7E1C747AED} -> Adware.MWSearch : Cleaned with backup (quarantined).
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\NewDotNet -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\NewDotNet\newdotnet7_22.dll_tobedeleted -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Sandlot Shared\slghex.dll -> Adware.SpywareStorm : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup (quarantined).
HKU\S-1-5-21-484763869-725345543-1691626490-1003\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup (quarantined).
HKU\S-1-5-21-484763869-725345543-1691626490-1003\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{07A78AEA-4A54-4967-9A60-4B68592D30C7} -> Adware.TrustCleaner : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{FE6C16C4-16AD-47B6-B250-26AD1829E49A} -> Adware.TrustCleaner : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07A78AEA-4A54-4967-9A60-4B68592D30C7} -> Adware.TrustCleaner : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{590FFB84-6A29-4797-9C0E-B15DF2C4CDCB} -> Adware.TrustCleaner : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FE6C16C4-16AD-47B6-B250-26AD1829E49A} -> Adware.TrustCleaner : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07A78AEA-4A54-4967-9A60-4B68592D30C7} -> Adware.TrustCleaner : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{590FFB84-6A29-4797-9C0E-B15DF2C4CDCB} -> Adware.TrustCleaner : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FE6C16C4-16AD-47B6-B250-26AD1829E49A} -> Adware.TrustCleaner : Cleaned with backup (quarantined).
HKU\S-1-5-21-484763869-725345543-1691626490-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07A78AEA-4A54-4967-9A60-4B68592D30C7} -> Adware.TrustCleaner : Cleaned with backup (quarantined).
HKU\S-1-5-21-484763869-725345543-1691626490-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{590FFB84-6A29-4797-9C0E-B15DF2C4CDCB} -> Adware.TrustCleaner : Cleaned with backup (quarantined).
HKU\S-1-5-21-484763869-725345543-1691626490-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DA7FF3F8-08BE-4CAC-BC00-94D91C6AE7F4} -> Adware.TrustCleaner : Cleaned with backup (quarantined).
HKU\S-1-5-21-484763869-725345543-1691626490-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FE6C16C4-16AD-47B6-B250-26AD1829E49A} -> Adware.TrustCleaner : Cleaned with backup (quarantined).
HKU\S-1-5-21-484763869-725345543-1691626490-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{52B1DFC7-AAFC-4362-B103-868B0683C697} -> Adware.Vundo : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
HKU\S-1-5-21-484763869-725345543-1691626490-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441} -> Downloader.ConHook.l : Cleaned with backup (quarantined).
C:\WINDOWS\pss\bdcyv.exeCommon Startup -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\afhcp.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kbngayh.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\otfcb.dat -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\pdpxgcr.dll -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OGNCGN31\drsmartload292a[1].exe -> Downloader.VB.aiw : Cleaned with backup (quarantined).
C:\626_101newer.exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
:mozilla.616:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-16.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.616:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-17.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.617:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-16.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.617:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-17.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.617:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-18.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.618:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-16.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.618:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-17.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.618:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-18.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.618:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-19.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.619:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-18.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.619:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-19.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.620:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-10.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.620:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-11.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.620:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-12.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.620:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-19.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.620:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-20.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.620:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-21.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.621:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-10.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.621:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-11.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.621:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-12.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.621:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-2.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.621:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-20.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.621:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-21.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.621:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.622:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-10.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.622:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-11.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.622:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-12.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.622:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-15.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.622:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-2.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.622:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-20.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.622:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-21.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.622:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.623:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-1.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.623:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-15.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.623:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-2.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.623:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.624:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-1.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.624:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-15.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.624:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-3.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.624:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-4.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.625:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-1.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.625:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-13.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.625:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-14.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.625:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-3.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.625:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-4.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.626:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-13.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.626:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-14.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.626:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-3.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.626:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-4.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.627:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-13.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.627:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-14.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.629:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies.txt.moztmp -> TrackingCookie.247realmedia : Error during cleaning.
:mozilla.630:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies.txt.moztmp -> TrackingCookie.247realmedia : Error during cleaning.
:mozilla.631:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies.txt.moztmp -> TrackingCookie.247realmedia : Error during cleaning.
:mozilla.633:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-5.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.634:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-5.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.634:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-6.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.635:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-5.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.635:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-6.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).

----
(Goes on and on, ends with:)
----

:mozilla.9:C:\Documents and Settings\Eileen\Application Data\Mozilla\Firefox\Profiles\rj2l1b7z.default\cookies-4.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{5CC8DAB1-063B-1033-0302-051114200001}\Update.exe -> Trojan.Starter.65 : Cleaned with backup (quarantined).


::Report end


When the report starts to list the tracking cookies, it goes on for so long that it would require 8 more posts. Do you require this?

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:14 PM

Posted 30 July 2006 - 05:24 AM

Hello,

Yes, try combofix again, but try it in safe mode this time.

Also, Can you rename Hijackthis.exe to Analyse.exe
Then scan with Analyse.exe and post the log in your next reply (which will be a hijackthislog ofcourse)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Kiafi

Kiafi
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 30 July 2006 - 01:15 PM

It says that Combofix cannot run in Safe Mode.

I did rename Hijackthis to analyse.exe, here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 2:12:54 PM, on 7/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijackthis\Analyse.exe

O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: rundll.exe - Unknown owner - C:\WINDOWS\rundll.exe (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:14 PM

Posted 30 July 2006 - 01:42 PM

Hi Kiafi, did you redownload combofix? because it has been updated. The previous version can't run in safe mode, but this version will. So try again and redownload combofix and try to run it in safe mode.

If that doesn't work, try it again in normal mode.
The log that will be created afterwards will be on your C:\ with the name combofix.txt

Also perform next additional steps..

Check and fix next entries in hijackthis:

O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O23 - Service: rundll.exe - Unknown owner - C:\WINDOWS\rundll.exe (file missing)


Then go to start > run and copy and paste next command in the field:

sc delete rundll.exe Hit enter.

I also want you to run next additional scans..

Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
I need that log later

Download Silent Runners
Unzip it to a permanent folder.
Start SilentRunners.vbs
When your antivirus is giving an alert, do not block this. Allow the script.
Please wait until it prompts you the scan is finished!
Copy and paste the content of the txtfile you get afterwards in your next reply together with the log from Silent Runners.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Kiafi

Kiafi
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 31 July 2006 - 07:53 PM

The link to combofix above has an exe that doesn't work in safe mode, I can't find any updated version, is there an official site?

I did everything else:

07/31/06 02:26:01 [Info]: BlackLight Engine 1.0.42 initialized
07/31/06 02:26:01 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/31/06 02:26:02 [Note]: 7019 4
07/31/06 02:26:02 [Note]: 7005 0
07/31/06 02:26:08 [Note]: 7006 0
07/31/06 02:26:08 [Note]: 7011 468
07/31/06 02:26:08 [Note]: 7026 0
07/31/06 02:26:09 [Note]: 7026 0
07/31/06 02:26:09 [Note]: 7015 720
07/31/06 02:26:09 [Note]: 7015 5
07/31/06 02:26:29 [Note]: FSRAW library version 1.7.1019
07/31/06 02:50:19 [Note]: 7007 0

---------------------------

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"!ewido" = ""C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
-> {HKLM...CLSID} = "dBpShell Class"
\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll" [empty string]
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
-> {HKLM...CLSID} = "dMCIShell Class"
\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dMCShell.dll" [empty string]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{24E27EA9-FCF3-444F-BD80-20543BA5D946}" = "Trustworking System Class"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\DOCUME~1\Eileen\LOCALS~1\Temp\wschtm35.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! wzcnotif\DLLName = "wzcdlg.dll" [MS]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
{FED7043D-346A-414D-ACD7-550D052499A7}\(Default) = "dBpowerAMP Column Handler"
-> {HKLM...CLSID} = "dBpShell Class"
\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll" [empty string]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\shellex.dll" ["Kaspersky Lab"]
Trillian\(Default) = "{6F1DC701-9891-11d5-B8C6-444553540001}"
-> {HKLM...CLSID} = "Trillian"
\InProcServer32\(Default) = "C:\Program Files\Trillian\buddy.dll" ["Cerulean Studios"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\shellex.dll" ["Kaspersky Lab"]
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Eileen\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_05"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ""C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"]
EvtEng, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
kavsvc, kavsvc, ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe"" ["Kaspersky Lab"]
NICCONFIGSVC, NICCONFIGSVC, "C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe" ["Dell Inc."]
RegSrvc, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]
Spectrum24 Event Monitor, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
WLANKEEPER, WLANKEEPER, "C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe" ["Intel® Corporation"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 139 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 5 seconds.
---------- (total run time: 164 seconds)

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:14 PM

Posted 01 August 2006 - 12:28 AM

That's ok about combofix.... still don't know why it won't work on your system.

Perform next:

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{24E27EA9-FCF3-444F-BD80-20543BA5D946}"=-

[-HKEY_CLASSES_ROOT\CLSID\{24E27EA9-FCF3-444F-BD80-20543BA5D946}]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report together with a new hijackthislog (made in normal mode)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:14 PM

Posted 09 August 2006 - 03:14 AM

Hello,

If you want to try to fix the worst Pc ever as you posted in your title, you have to perform this asap... because when malware is still present, it will install more malware all the time. We are already one week later and you didn't post any feedback yet with the logs. It doesn't make any sense to clean a system if you wait days in between, because in most cases, we just have to start all over again.
I'll leave this thread open for another 2 days and if I still don't receive any feedback, then I'll close it.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:14 PM

Posted 16 August 2006 - 06:22 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users