Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fiesty Malware


  • Please log in to reply
11 replies to this topic

#1 Michael Grammas

Michael Grammas

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 02 August 2006 - 03:14 PM

Hi,

I have a PC with very persistent spyware. I've run AdAware, SpyBot and Ewido in Safe Mode, then Hijack This. Here's the log file.

Logfile of HijackThis v1.99.1
Scan saved at 11:37:35 AM, on 8/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\svchost.exe
C:\winnt\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://1/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {358D6850-A1BC-23D5-3635-7EB5FFF408FA} - C:\WINNT\xzlgkpst.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FA596762-80F5-D252-D59A-A10FA69D4D9F} - C:\winnt\system32\swz.dll (file missing)
O3 - Toolbar: Search - {0F51100A-33CB-97DF-6AD8-268C6E104D31} - C:\WINNT\xzlgkpst.dll (file missing)
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133132208\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SHA256] C:\Program Files\SHA256\secure.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://ax.web-nexus.net/download/ax/257/installer.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com...ver/Install.cab
O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins002.exe
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)

BC AdBot (Login to Remove)

 


#2 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:10 PM

Posted 03 August 2006 - 09:41 AM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Boot in Safe Mode!

Step #1

Scan again with HijackThis and check the following items:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://1/

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {358D6850-A1BC-23D5-3635-7EB5FFF408FA} - C:\WINNT\xzlgkpst.dll (file missing)
O2 - BHO: (no name) - {FA596762-80F5-D252-D59A-A10FA69D4D9F} - C:\winnt\system32\swz.dll (file missing)

O3 - Toolbar: Search - {0F51100A-33CB-97DF-6AD8-268C6E104D31} - C:\WINNT\xzlgkpst.dll (file missing)

O4 - HKLM\..\Run: [SHA256] C:\Program Files\SHA256\secure.exe

O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://ax.web-nexus.net/download/ax/257/installer.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com...ver/Install.cab
O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins002.exe
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab

O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Step #2

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Step #3

Find and delete these files and folders (if they are still there):
c:\windows\system32\doser.exe <= this file
C:\WINDOWS\SYSTEM32\ssldr32.dll <= this file


Step #4

Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Try to reboot your computer in Normal Mode.

Step #5

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Start HijackThis, perform a new scan and save the log file.

Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

#3 Michael Grammas

Michael Grammas
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 04 August 2006 - 10:21 AM

Active Scan, followed by Hijack This logs...


Incident Status Location

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Gateway Customer\Cookies\gateway customer@atdmt[1].txt
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Gateway Customer\Local Settings\Temporary Internet Files\Ssk.log
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\NetworkService\Cookies\system@apmebf[2].txt
Spyware:Cookie/66.246.209 Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@66.246.209[2].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@888[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@adopt.hbmediapro[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@adrevolver[2].txt
Spyware:Cookie/aff504 Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@aff504[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@apmebf[2].txt
Spyware:Cookie/Deskwizz Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@apps.deskwizz[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@ath.belnk[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@azjmp[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@banner[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@belnk[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@cassava[1].txt
Spyware:Cookie/Date Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@date[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@dist.belnk[1].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@fortunecity[2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@i.screensavers[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@maxserving[2].txt
Spyware:Cookie/AspinallsOnlineCasino Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@pacificpoker[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@realmedia[1].txt
Spyware:Cookie/TargetSaver Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@targetsaver[2].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@webpower[2].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@winfixer[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\junk\Spyware\smit\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\junk\Spyware\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\junk\Spyware\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\junk\Spyware\VirtumundoBeGone.exe[]
Potentially unwanted tool:Application/Processor Not disinfected C:\junk\Spyware\VundoFix.exe[process.exe]
Potentially unwanted tool:Application/RegClean32 Not disinfected C:\Program Files\Registry Cleaner Trial\regclean.dll
Potentially unwanted tool:Application/RegClean32 Not disinfected C:\Program Files\Registry Cleaner Trial\RegClean.exe
Potentially unwanted tool:Application/FunWeb Not disinfected C:\WINNT\Downloaded Program Files\f3initialsetup1.0.0.15.inf
Adware:Adware/IPInsight Not disinfected C:\WINNT\inf\alchem.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINNT\inf\satmat.inf
Adware:Adware/CommAd Not disinfected C:\WINNT\R2F0ZXdheSBDdXN0b21lcg\lZIXtrx1ym1GxrhXvZY5w0.vbs
Adware:Adware/PurityScan Not disinfected C:\WINNT\system32\GS2.exe
Adware:Adware/PurityScan Not disinfected C:\WINNT\system32\lsass.dll
Adware:Adware/SAHAgent Not disinfected C:\WINNT\system32\xmltok.dll


Logfile of HijackThis v1.99.1
Scan saved at 9:54:21 AM, on 8/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\System32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\winnt\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\DOCUME~1\GATEWA~1\MYDOCU~1\CROSOF~1.NET\winword.exe
C:\Program Files\Common Files\AOL\1133132208\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1133132208\ee\AOLServiceHost.exe
c:\program files\common files\aol\1133132208\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1133132208\ee\AOLServiceHost.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133132208\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???\WkDetect.exe
O4 - HKCU\..\Run: [Eoil] "C:\DOCUME~1\GATEWA~1\MYDOCU~1\CROSOF~1.NET\winword.exe" -vt ndrv
O4 - HKCU\..\Run: [Njy] C:\Program Files\Common Files\S?mantec\r?ndll32.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\winnt\system32\lsass.dll
O20 - Winlogon Notify: WgaLogon - C:\winnt\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)


#4 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:10 PM

Posted 04 August 2006 - 10:39 AM

Potentially unwanted tool:Application/RegClean32 Not disinfected C:\Program Files\Registry Cleaner Trial\regclean.dll
Potentially unwanted tool:Application/RegClean32 Not disinfected C:\Program Files\Registry Cleaner Trial\RegClean.exe

Have you installed that program on purpose? Than it isn't a problem...

----------------------------------

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

Go to start > controlpanel > software > add/remove programs and uninstall next if present:

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin

or anything similar with Oin in it.


If OIN not listed, download and run this uninstaller.

Reboot when done! Really important!

Step #2

Scan again with HijackThis and check the following items (if they are still there):
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R3 - Default URLSearchHook is missing

O4 - HKCU\..\Run: [Njy] C:\Program Files\Common Files\S?mantec\r?ndll32.exe

O20 - AppInit_DLLs: C:\winnt\system32\lsass.dll

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Step #3

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Step #4

Click Start -> Run
Paste in this command and press enter:

regsvr32 /u occache.dll

Step #5

Reboot Your System in Safe Mode:
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #6

Find and delete these files and folders (if they are still there):
C:\WINNT\Downloaded Program Files\f3initialsetup1.0.0.15.inf <= this file
C:\WINNT\inf\alchem.inf <= this file
C:\WINNT\inf\satmat.inf <= this file
C:\WINNT\R2F0ZXdheSBDdXN0b21lcg <= this folder
C:\WINNT\system32\GS2.exe <= this file
C:\WINNT\system32\lsassc.dll <= this file (NOTE: Delete the DLL file!! NOT lsassc.exe!!)
C:\WINNT\system32\xmltok.dll <= this file
C:\Program Files\Common Files\S?mantec <= this folder (The "?" could be anything, but will probably look like an "y")
C:\Documents and Settings\Gateway Customer\Local Settings\Temporary Internet Files\Ssk.log <= this file



Reboot your computer normally.


Step #7

Go back to:
Start -> Run
Paste in this command:

regsvr32 occache.dll

Step #8

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Start HijackThis, perform a new scan and save the log file.

Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

#5 Michael Grammas

Michael Grammas
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 04 August 2006 - 01:07 PM

QUOTE
Potentially unwanted tool:Application/RegClean32 Not disinfected C:\Program Files\Registry Cleaner Trial\regclean.dll
Potentially unwanted tool:Application/RegClean32 Not disinfected C:\Program Files\Registry Cleaner Trial\RegClean.exe

Have you installed that program on purpose? Than it isn't a problem...


This is a client's computer, so I'm not sure if she installed it on purpose. It does show up in the Add/Remove Programs list.

More logs...


Incident Status Location

Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Gateway Customer\Local Settings\Temporary Internet Files\Ssk.log
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\NetworkService\Cookies\system@apmebf[2].txt
Spyware:Cookie/66.246.209 Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@66.246.209[2].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@888[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@adopt.hbmediapro[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@adrevolver[2].txt
Spyware:Cookie/aff504 Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@aff504[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@apmebf[2].txt
Spyware:Cookie/Deskwizz Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@apps.deskwizz[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@ath.belnk[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@azjmp[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@banner[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@belnk[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@cassava[1].txt
Spyware:Cookie/Date Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@date[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@dist.belnk[1].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@fortunecity[2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@i.screensavers[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@maxserving[2].txt
Spyware:Cookie/AspinallsOnlineCasino Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@pacificpoker[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@realmedia[1].txt
Spyware:Cookie/TargetSaver Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@targetsaver[2].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@webpower[2].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@winfixer[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\junk\Spyware\smit\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\junk\Spyware\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\junk\Spyware\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\junk\Spyware\VirtumundoBeGone.exe[]
Potentially unwanted tool:Application/Processor Not disinfected C:\junk\Spyware\VundoFix.exe[process.exe]
Potentially unwanted tool:Application/RegClean32 Not disinfected C:\Program Files\Registry Cleaner Trial\regclean.dll
Potentially unwanted tool:Application/RegClean32 Not disinfected C:\Program Files\Registry Cleaner Trial\RegClean.exe


Logfile of HijackThis v1.99.1
Scan saved at 1:01:11 PM, on 8/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\System32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\winnt\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1133132208\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1133132208\ee\AOLServiceHost.exe
c:\program files\common files\aol\1133132208\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1133132208\ee\AOLServiceHost.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133132208\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???\WkDetect.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: WgaLogon - C:\winnt\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)



#6 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:10 PM

Posted 04 August 2006 - 01:38 PM

Please find and delete this file:

C:\Documents and Settings\Gateway Customer\Local Settings\Temporary Internet Files\Ssk.log

Then reboot and post a fresh HijackThis log. How is the PC running now?

#7 Michael Grammas

Michael Grammas
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 04 August 2006 - 04:06 PM

Dick,

I see how ssk.log keeps showing up in the Activescan log, but it's never in the Temporary INternet Files folder.

So, I searched the entire hard drive for it, and it popped up in several c:\Recycler directories. I was not allowed to delete from thos directories, but it started a flashback for me to a time when was running into a similar problem. Here's the text from that fix.

Differences Between the Recycle Bin and the Recycler Folder
View products that this article applies to.
Article ID : 171694
Last Review : August 9, 2001
Revision : 1.0
This article was previously published under Q171694
SUMMARY
This article describes the difference between the Recycle Bin and the Recycler folder.
MORE INFORMATION
When you delete a file in Windows NT Explorer or My Computer, the file is stored in the Recycle Bin. The file remains in the Recycle Bin until you empty the Recycle Bin or restore the file.

The Recycler folder is used only on NTFS partitions. The Recycler folder contains a Recycle Bin for each user that logs on to the computer, sorted by their security identifier (SID).

For additional information about the Recycle Bin, please see the following article in the Microsoft Knowledge Base:
136517 (http://support.microsoft.com/kb/136517/EN-US/) How the Recycle Bin Stores Files


Now open a Command Prompt window (Start > Run > Cmd) and leave it open. Close all open programs.

Click Start, Run, enter taskmgr and press OK in order to bring up Task Manager.
Go to the Processes tab and End Process on Explorer.exe.

Leave Task Manager open. Go back to the Command Prompt window , and type: rd /s c:\recycler in order to delete your Recycle Bin.
Answer Yes when prompted to confirm deletion.

NOTE: that command reads "rd (space)/s (space) c:\recycler"

Go back to Task Manager, click File > New Task and enter EXPLORER.EXE to restart the GUI shell. Close Task Manager.

Restart your computer. A new Recycle Bin will automatically be created.


Anyway, that's what I did to get rid of ssk.log. After rebooting, I ran another Active Scan, and damned if SSK.log didn't show up again in the scan log. But I can't find it anywhere on the system this time. I don't get it. The computer seems to be running fine now. Here's the log file.


Incident Status Location

Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Gateway Customer\Local Settings\Temporary Internet Files\Ssk.log
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\NetworkService\Cookies\system@apmebf[2].txt
Spyware:Cookie/66.246.209 Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@66.246.209[2].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@888[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@adopt.hbmediapro[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@adrevolver[2].txt
Spyware:Cookie/aff504 Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@aff504[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@apmebf[2].txt
Spyware:Cookie/Deskwizz Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@apps.deskwizz[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@ath.belnk[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@azjmp[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@banner[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@belnk[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@cassava[1].txt
Spyware:Cookie/Date Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@date[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@dist.belnk[1].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@fortunecity[2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@i.screensavers[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@maxserving[2].txt
Spyware:Cookie/AspinallsOnlineCasino Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@pacificpoker[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@realmedia[1].txt
Spyware:Cookie/TargetSaver Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@targetsaver[2].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@webpower[2].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Nonnie\Cookies\nonnie@winfixer[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\junk\Spyware\smit\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\junk\Spyware\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\junk\Spyware\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\junk\Spyware\VirtumundoBeGone.exe[]
Potentially unwanted tool:Application/Processor Not disinfected C:\junk\Spyware\VundoFix.exe[process.exe]
Potentially unwanted tool:Application/RegClean32 Not disinfected C:\Program Files\Registry Cleaner Trial\regclean.dll
Potentially unwanted tool:Application/RegClean32 Not disinfected C:\Program Files\Registry Cleaner Trial\RegClean.exe

#8 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:10 PM

Posted 05 August 2006 - 08:31 AM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

Please run Notepad and copy the following text into a new file:

attrib -r -s -h %systemdrive%\RECYCLER
del %systemdrive%\RECYCLER
attrib -r -s -h %systemdrive%\RECYCLED
del %systemdrive%\RECYCLED
shutdown /r /t 0 /f

Save the file as recyclerem.bat and make sure the "Save as type" field says "All files".
This is how the batch must look afterwards: Posted Image

Double-Click on the file recyclerem.bat, a small DOS type window should open and close immediately.
You can answer any questions with "Yes".

Step #2

Download Killbox to your desktop.
Click killbox.exe.
Select the option "Delete on reboot".
In the field labeled "Full Path of File to Delete" copy and paste next:

C:\Documents and Settings\Gateway Customer\Local Settings\Temporary Internet Files\Ssk.log

Click the button: Single File (!important!)

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that the listed file will be removed on next reboot and asks if you would like to Reboot now, click YES

Your computer must reboot now.

Step #3

Find these folders:
C:\Documents and Settings\Nonnie\Cookies <= delete everything inside the folder
C:\Documents and Settings\NeworkService\Cookies <= delete everything inside the folder

Step #4

Start HijackThis, perform a new scan and save the log file.

Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

Also tell me how the computer is running now!

#9 Michael Grammas

Michael Grammas
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 07 August 2006 - 08:50 AM

Everything seems to be running OK now...

Logfile of HijackThis v1.99.1
Scan saved at 8:47:41 AM, on 8/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\System32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\winnt\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1133132208\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1133132208\ee\AOLServiceHost.exe
c:\program files\common files\aol\1133132208\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1133132208\ee\AOLServiceHost.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133132208\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???\WkDetect.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: WgaLogon - C:\winnt\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)

#10 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:10 PM

Posted 07 August 2006 - 09:10 AM

This log looks clean!
  • Don't forget to re-hide all files and folders. To re-hide all files and folders:
    • Open My Computer.
    • Select the Tools menu and click Folder Options.
    • Select the View Tab.
    • Under the Hidden files and folders heading deselect "Show hidden files and folders".
    • Check the Hide protected operating system files (recommended) option.
    • Click Yes to confirm.
    • Click OK.
  • This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

    Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.

    Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.

    This can be accessed by going to http://windowsupdate.microsoft.com and following the prompts. If you are running Windows XP make sure you get updated to SP-2!!

    Please post back if you are still having any problems....

    Posted Image


#11 Michael Grammas

Michael Grammas
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 07 August 2006 - 09:36 AM

Thanks, Didom.

You da man!!!

#12 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:10 PM

Posted 07 August 2006 - 09:56 AM

You're welcome :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users