Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Remove Download.agent.uj With Fixwareout


  • This topic is locked This topic is locked
14 replies to this topic

#1 wormsmeal

wormsmeal

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 04 August 2006 - 10:13 PM

I recently got avast virus warnings for 2 Adan viruses (78 & 94? I think).
I ran ewido and it shows downloader.agent.uj but cannot quarantine or delete.

Other resolved posts claimed fixwareout.exe cleaned it out, but when I run fixwareout command prompt shows:
Bad command or file name
Unsupported windows version

I am on a win2k system.
I've tried running:
ad-aware (nothing found)
ewido (finds downloader.agent.uj but can't remove)
a-squared (found and removed somthing called kill+clean)
spybot s&d (freezes at 499/45178: Baciami)
Panda online scan (freezes when I try to save report)

The following is my Hijack Log (run from safe mode):
==================================
Logfile of HijackThis v1.99.1
Scan saved at 7:53:04 PM, on 8/4/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\administrator\Desktop\fix\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:<body%20bgcolor=black%20text=lightgreen%20style='font-size:100px;%20font-family:haettenschweiler'><i>crimosoft<br>unternet<br>exploiter
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Toolbar Helper - {D44BBB61-E17F-4AE6-A502-8D7E0B29E616} - C:\WINDOWS\system32\s1940.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Remote Selector] C:\PROGRA~1\infra\REMSEL~1.EXE startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Startup: Notmad Manager.lnk = C:\Program Files\Red Chair Software\Notmad Explorer\notmgr.exe
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\system32\s1940.dll/blogimage
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .MTD: C:\Program Files\Internet Explorer\Plugins\npmusicn.dll
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {172C8307-DCA8-11D2-85FA-00105A9A29D2} (GSShellCtrl Class) - file://D:\develop\gsdev\GSWeb\controls\GSShell.dll
O16 - DPF: {17AA9E40-0D3D-11D3-B73B-00A0C9EE1B35} (MonitorCtrl Class) - file://D:\develop\gsdev\GSWeb\controls\GSMonitorX.dll
O16 - DPF: {182D18A0-0ECC-11D3-BE33-00105A9A29EB} (GSAlphaLedX Class) - file://D:\develop\gsdev\GSWeb\controls\GSAlphaLed.dll
O16 - DPF: {212987B1-06F5-11D3-B737-00A0C9EE1B35} (GSATX38PrintXCtrl Class) - file://D:\develop\gsdev\GSWeb\controls\GSATX38PrintX.dll
O16 - DPF: {31932A5C-9234-4377-A920-72E7DD340DB4} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://secure.vnsny.org/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {5D54EBC0-3959-11D3-B773-00A0C9EE1B35} (GsUtil Class) - file://D:\develop\gsdev\GSWeb\controls\GSUtil.dll
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host.oddcast.com/hostClientIE.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D31DAAC7-F742-11D2-8622-00105A9A29D2} (GSKdmCardXCtl Class) - file://D:\develop\gsdev\GSWeb\controls\GSKdmCardX.dll
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{23E37CC1-49B5-4F41-AAA3-3523E138EB40}: NameServer = 85.255.116.140,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B2287A1-DDAA-4837-B44E-4E1C05245220}: NameServer = 85.255.116.140,85.255.112.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.140 85.255.112.11
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = domain.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.140 85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.140 85.255.112.11
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:08 AM

Posted 05 August 2006 - 09:07 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:



Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log into this topic.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 wormsmeal

wormsmeal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 05 August 2006 - 10:19 PM

Hello Sam,

I've tried fixwareout.exe dozens of times (regular + safe mode). I stated in the original post that when I extracted & ran fixwareout the command prompt shows the following errors:
Bad command or file name
Unsupported windows version

The "Bad command or file name" appears several times in a row followed by the "Unsupported windows version". I am running win2k.

Is this the only fix to this virus?

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:08 AM

Posted 06 August 2006 - 07:40 AM

Sorry, I read your post too fast and jumped ahead on you. :thumbsup:

Let's do it a different way. We need to see a couple different logs.

Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.


===============




Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will receive a prompt:
    • Do you want to skip supplementary searches?
      click NO
  • If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 wormsmeal

wormsmeal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 06 August 2006 - 01:58 PM

Thanks for your reply.

I ran Blacklight (blbeta.exe) -- 4 hidden items found and here is the log:
=================================================
08/06/06 14:36:03 [Info]: BlackLight Engine 1.0.42 initialized
08/06/06 14:36:03 [Info]: OS: 5.0 build 2195 (Service Pack 4)
08/06/06 14:36:04 [Note]: 7019 4
08/06/06 14:36:04 [Note]: 7005 0
08/06/06 14:36:38 [Note]: 7006 0
08/06/06 14:36:38 [Note]: 7011 964
08/06/06 14:36:38 [Note]: 7026 0
08/06/06 14:36:38 [Note]: 7026 0
08/06/06 14:37:00 [Note]: FSRAW library version 1.7.1019
08/06/06 14:42:29 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\cswfv.exe
08/06/06 14:42:29 [Note]: 7002 32
08/06/06 14:42:29 [Note]: 7003 1
08/06/06 14:42:29 [Note]: 10002 1
08/06/06 14:42:34 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\{0F827FFE-EE5C-4C86-9C5F-8ED44A39CBFA}.exe
08/06/06 14:42:34 [Note]: 7002 5
08/06/06 14:42:34 [Note]: 7003 1
08/06/06 14:42:34 [Note]: 10002 1
08/06/06 14:42:34 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\{102B37D3-4CF4-4C40-A319-23A7CEAE049C}.exe
08/06/06 14:42:34 [Note]: 7002 5
08/06/06 14:42:34 [Note]: 7003 1
08/06/06 14:42:34 [Note]: 10002 1
08/06/06 14:42:35 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\{DE5C64F3-BD45-407C-B7A8-B1900C71F17B}.exe
08/06/06 14:42:35 [Note]: 10002 1
08/06/06 14:45:17 [Note]: 2000 1006
08/06/06 14:46:24 [Note]: 7007 0
=================================================


Then I ran SilentRunners.vbs as instructed and after some time it crashed, saying: "WScript.exe - Application error"
However, it did write a log before crashing and here are the contents:
"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Creative Detector" = ""C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R" ["Creative Technology Ltd"]
"Spyware Doctor" = (empty string)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"LoadQM" = "loadqm.exe" [MS]
"Tweak UI" = "RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp" [MS]
"Remote Selector" = "C:\PROGRA~1\infra\REMSEL~1.EXE startup" [null data]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"dmrme.exe" = "C:\WINDOWS\system32\dmrme.exe" [file not found]
"!ewido" = ""C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized" ["Anti-Malware Development a.s."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\ {++}
"Register Homesite+.exe" = ""C:\Program Files\Macromedia\HomeSite+\Homesite+.exe" /REGSERVER" ["Macromedia, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{5945c046-1e7d-11d1-bc44-00c04fd912be}\(Default) = "MSN Messenger Service 3.6"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Remove.PerUser" [MS]
{6BF52A52-394A-11d3-B153-00C04F79FAA6}\(Default) = "Microsoft Windows Media Player"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserRemove" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
{D44BBB61-E17F-4AE6-A502-8D7E0B29E616}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Toolbar Helper"
\InProcServer32\(Default) = "C:\WINDOWS\system32\s1940.dll" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{c7745760-8ead-11ce-b750-02608ca5202c}" = "IomegaWare Shell Extension"
-> {HKLM...CLSID} = "IomegaWare Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Iomega\Shell\ImgMenu.dll" ["Iomega Corp."]
"{c7745761-8ead-11ce-b750-02608ca5202c}" = "IomegaWare Shell Extension"
-> {HKLM...CLSID} = "IomegaWare Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Iomega\Shell\ImgProp.dll" ["Iomega Corp."]
"{E0D79300-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]
"{E0D79301-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]
"{E0D79302-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]
"{6B19FEC2-A45B-11CF-9045-00A0C9039735}" = "Registered ActiveX Controls"
-> {HKLM...CLSID} = "Registered ActiveX Controls"
\InProcServer32\(Default) = "D:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL" [MS]
"{D545EBD1-BD92-11CF-8772-00A0C9039735}" = "Developer Studio Components"
-> {HKLM...CLSID} = "Developer Studio Components"
\InProcServer32\(Default) = "D:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshellext.dll" ["RealNetworks"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{4EFE464B-3D0B-4800-A5DE-2321283A3256}" = "QCD IconHandler"
-> {HKLM...CLSID} = "QIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Quintessential Player\QCDIcons.dll" [empty string]
"{0AC6C6C5-F7A8-11D2-BEF4-00C04F990001}" = "Macromedia FTP & RDS"
-> {HKLM...CLSID} = "Macromedia FTP & RDS"
\InProcServer32\(Default) = "C:\WINDOWS\system32\CfShellFtpRds.dll" ["Macromedia, Inc."]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{A68865DD-EE3C-4442-9BE9-1BAB2576E3FA}" = "NOMAD Explorer"
-> {HKLM...CLSID} = "NOMAD Explorer"
\InProcServer32\(Default) = "C:\Program Files\Creative\Creative Zen Touch\NOMAD Explorer\CTJBNS.DLL" ["Creative Technology Ltd"]
"{BBA7EB3F-97AB-4EBD-BCA2-C3C8DBED444F}" = "Notmad Explorer Zen"
-> {HKLM...CLSID} = "Notmad Explorer Zen"
\InProcServer32\(Default) = "C:\Program Files\Red Chair Software\Notmad Explorer\notmadjz.dll" ["Red Chair Software, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "cswfv.exe" [null data]

HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "PDBoot.exe autocheck autochk *" [file not found], [file not found], [MS], [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! ScCertProp\DLLName = "wlnotify.dll" [MS]
INFECTION WARNING! Schedule\DLLName = "wlnotify.dll" [MS]
INFECTION WARNING! wlballoon\DLLName = "wlnotify.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]


Default executables:
--------------------

HKLM\Software\Classes\.scr\(Default) = "AutoCADScriptFile"
INFECTION WARNING! HKLM\Software\Classes\AutoCADScriptFile\shell\open\command\(Default) = "C:\WINDOWS\NOTEPAD.EXE "%1"" [MS]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\ACD Wallpaper.bmp"
==================================================================================================

PS - While running blacklight, AVG popped up finding:
- Trojan Horse Generic.XFV - C:\WINDOWS\SYSTEM32\{0F827FFE-EE5C-4C86-9C5F-8ED44A39CBFA}.exe
- Trojan Horse Generic.XKS - C:\WINDOWS\SYSTEM32\{102B37D3-4CF4-4C40-A319-23A7CEAE049C}.exe
But could neither heal nor quarantine them.
(I've installed AVG and removed avast after the first incident upon recommendation.)

#6 wormsmeal

wormsmeal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 06 August 2006 - 04:26 PM

I've tried to remove the questionable files:
c:\WINDOWS\SYSTEM32\cswfv.exe
c:\WINDOWS\SYSTEM32\{0F827FFE-EE5C-4C86-9C5F-8ED44A39CBFA}.exe
c:\WINDOWS\SYSTEM32\{102B37D3-4CF4-4C40-A319-23A7CEAE049C}.exe
c:\WINDOWS\SYSTEM32\{DE5C64F3-BD45-407C-B7A8-B1900C71F17B}.exe

with KillBox. "Standard File Kill" did not work, and "Delete on reboot" resulted in the following error:
"PendingFileRenameOperations Registry Data has been removed by External Process!"

I then tried to remove with HijackThis "Delete a file on Reboot" and rebooted 4 times with each of the files selected. I believe they were removed as KillBox did not say "file does not exist" when I pasted there subsequently.

Ewido still shows downloader.agent.uj, and system randomly freezes when not in safe mode until explorer is killed. Twice I've received this error on reboot "SAS Window: winlogon.exe application error" which resulted in self-reboot. Also after some indeterminate time, all internet browsing seems to be stopped by ZoneAlarm.

I think I'm losing this battle. Do I need to backup my system and reinstall windows? (if that works)
Is the data on my secondary drives in danger?

What to do?

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:08 AM

Posted 06 August 2006 - 09:19 PM

Your jumping ahead of me, so I'm not sure if this will still work the way it should.


Select these items in blacklite and choose rename:

c:\WINDOWS\SYSTEM32\cswfv.exe
c:\WINDOWS\SYSTEM32\{0F827FFE-EE5C-4C86-9C5F-8ED44A39CBFA}.exe
c:\WINDOWS\SYSTEM32\{102B37D3-4CF4-4C40-A319-23A7CEAE049C}.exe
c:\WINDOWS\SYSTEM32\{DE5C64F3-BD45-407C-B7A8-B1900C71F17B}.exe


The tool will ask if you want to reboot (restart) choose yes.




Please open up Ewido Anti-spyware
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close Ewido anti-spyware, Do Not run a scan just yet, we will shortly.

You may want to print out these instructions as the rest of this fix will take place in safe mode.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
  • Clean out your Temporary Internet files
  • Close Internet Explorer and quit any instances of Windows Explorer.
  • Click Start -> Control Panel and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
IMPORTANT: Close all windows and do not open any other windows or programs while Ewido is scanning, it may interfere with the scanning proccess:
  • Lauch Ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • Ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close Ewido and reboot your system back into Normal Mode and post the results of the Ewido scan report along with a new Hijackthis log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 wormsmeal

wormsmeal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 06 August 2006 - 10:43 PM

Thanks for your reply.

I reran blacklite and it only found this one:
- c:\WINDOWS\SYSTEM32\cswfv.exe
so I selected rename and rebooted. (Hopefully the others were removed with Hijack this?)

Followed all other instructions and here is the Ewido report:
===================================
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:33:59 PM 8/6/2006

+ Scan result:



C:\WINDOWS\SYSTEM32\cshel.exe.ren -> Downloader.Agent.uj : Cleaned with backup (quarantined).
:mozilla.96:C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\zyqfquf2.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\vkman@earthlink.net\Cookies\administrator@.adorigin[2].txt -> TrackingCookie.Adorigin : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\vkman@earthlink.net\Cookies\administrator@adorigin[2].txt -> TrackingCookie.Adorigin : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\vkofman@earthlink.net\Cookies\administrator@.adorigin[2].txt -> TrackingCookie.Adorigin : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\vkofman@earthlink.net\Cookies\administrator@adorigin[2].txt -> TrackingCookie.Adorigin : Cleaned with backup (quarantined).
:mozilla.110:C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\zyqfquf2.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
:mozilla.111:C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\zyqfquf2.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
:mozilla.29:C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\zyqfquf2.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.30:C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\zyqfquf2.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.31:C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\zyqfquf2.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.32:C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\zyqfquf2.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.28:C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\zyqfquf2.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.102:C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\zyqfquf2.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
:mozilla.69:C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\zyqfquf2.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\vkman@earthlink.net\Cookies\administrator@cz7.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\vkofman@earthlink.net\Cookies\administrator@cz7.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.64:C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\zyqfquf2.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\vkman@earthlink.net\Cookies\administrator@com[3].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\vkofman@earthlink.net\Cookies\administrator@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.39:C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\zyqfquf2.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.58:C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\zyqfquf2.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.59:C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\zyqfquf2.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.60:C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\zyqfquf2.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.33:C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\zyqfquf2.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
:mozilla.34:C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\zyqfquf2.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\vkman@earthlink.net\Cookies\administrator@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\vkofman@earthlink.net\Cookies\administrator@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\vkman@earthlink.net\Cookies\administrator@php.offshoreclicks[2].txt -> TrackingCookie.Offshoreclicks : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\vkofman@earthlink.net\Cookies\administrator@php.offshoreclicks[2].txt -> TrackingCookie.Offshoreclicks : Cleaned with backup (quarantined).
:mozilla.35:C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\zyqfquf2.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.36:C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\zyqfquf2.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.37:C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\zyqfquf2.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.38:C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\zyqfquf2.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.70:C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\zyqfquf2.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.71:C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\zyqfquf2.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.72:C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\zyqfquf2.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.73:C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\zyqfquf2.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\vkman@earthlink.net\Cookies\administrator@www.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\vkman@earthlink.net\Cookies\administrator@yadro[2].txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\vkofman@earthlink.net\Cookies\administrator@yadro[1].txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
C:\!KillBox\{102B37D3-4CF4-4C40-A319-23A7CEAE049C}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\!KillBox\{0F827FFE-EE5C-4C86-9C5F-8ED44A39CBFA}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\!KillBox\{0F827FFE-EE5C-4C86-9C5F-8ED44A39CBFA}.exe( 1) -> Trojan.Small.gq : Cleaned with backup (quarantined).


::Report end
===================================

And this is the HiJack This Log:
===================================
Logfile of HijackThis v1.99.1
Scan saved at 11:40:30 PM, on 8/6/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\infra\REMSEL~1.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Nikon\NkView4\NkVwMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Red Chair Software\Notmad Explorer\notmgr.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Documents and Settings\administrator\Desktop\fix\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Toolbar Helper - {D44BBB61-E17F-4AE6-A502-8D7E0B29E616} - C:\WINDOWS\system32\s1940.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Remote Selector] C:\PROGRA~1\infra\REMSEL~1.EXE startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [dmrme.exe] C:\WINDOWS\system32\dmrme.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Startup: Notmad Manager.lnk = C:\Program Files\Red Chair Software\Notmad Explorer\notmgr.exe
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\system32\s1940.dll/blogimage
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .MTD: C:\Program Files\Internet Explorer\Plugins\npmusicn.dll
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {172C8307-DCA8-11D2-85FA-00105A9A29D2} (GSShellCtrl Class) - file://D:\develop\gsdev\GSWeb\controls\GSShell.dll
O16 - DPF: {17AA9E40-0D3D-11D3-B73B-00A0C9EE1B35} (MonitorCtrl Class) - file://D:\develop\gsdev\GSWeb\controls\GSMonitorX.dll
O16 - DPF: {182D18A0-0ECC-11D3-BE33-00105A9A29EB} (GSAlphaLedX Class) - file://D:\develop\gsdev\GSWeb\controls\GSAlphaLed.dll
O16 - DPF: {212987B1-06F5-11D3-B737-00A0C9EE1B35} (GSATX38PrintXCtrl Class) - file://D:\develop\gsdev\GSWeb\controls\GSATX38PrintX.dll
O16 - DPF: {31932A5C-9234-4377-A920-72E7DD340DB4} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://secure.vnsny.org/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {5D54EBC0-3959-11D3-B773-00A0C9EE1B35} (GsUtil Class) - file://D:\develop\gsdev\GSWeb\controls\GSUtil.dll
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host.oddcast.com/hostClientIE.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D31DAAC7-F742-11D2-8622-00105A9A29D2} (GSKdmCardXCtl Class) - file://D:\develop\gsdev\GSWeb\controls\GSKdmCardX.dll
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{23E37CC1-49B5-4F41-AAA3-3523E138EB40}: NameServer = 85.255.116.140,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B2287A1-DDAA-4837-B44E-4E1C05245220}: NameServer = 85.255.116.140,85.255.112.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.140 85.255.112.11
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = domain.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.140 85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.140 85.255.112.11
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe
===================================

#9 wormsmeal

wormsmeal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 07 August 2006 - 09:29 AM

After playing with it for some time, it seems like the infection is cured. eWido & AVG reports nothing, and the machine doesn't seem to freeze or drop internet connectivity any more.

I'm surprised that all the major anti-virus/anti-spyware apps couldn't clean it, only blacklight worked for me. It seems that AVG is much more reliable than avast for prevention.

Do the logs look clean?

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:08 AM

Posted 07 August 2006 - 02:34 PM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [dmrme.exe] C:\WINDOWS\system32\dmrme.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O17 - HKLM\System\CCS\Services\Tcpip\..\{23E37CC1-49B5-4F41-AAA3-3523E138EB40}: NameServer = 85.255.116.140,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B2287A1-DDAA-4837-B44E-4E1C05245220}: NameServer = 85.255.116.140,85.255.112.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.140 85.255.112.11
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.140 85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.140 85.255.112.11



===========================


Now lets check some settings on your system.
  • Enter your Control Panel and double-click on Network Connections
  • Then right click on your Default Connection
    • Usually Local Area Connection for Cable and DSL
  • Left click on Properties
  • Double-Click on the Internet Protocol (TCP/IP) item
  • Select the radio dial that says Obtain DNS Servers Automatically
  • Press OK twice to get out of the properties screen and reboot if it asks
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)


=================


Use Killbox to delete this file.

C:\WINDOWS\system32\dmrme.exe


=================


Reboot and post a new hijackthis log.
Try FixWareout again and see if it works for you now. If so, post that log also.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 wormsmeal

wormsmeal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 07 August 2006 - 05:27 PM

Followed all instructions and here is the HiJack This log:
===============================
Logfile of HijackThis v1.99.1
Scan saved at 6:25:00 PM, on 8/7/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\infra\REMSEL~1.EXE
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Nikon\NkView4\NkVwMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Red Chair Software\Notmad Explorer\notmgr.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Documents and Settings\administrator\Desktop\fix\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Toolbar Helper - {D44BBB61-E17F-4AE6-A502-8D7E0B29E616} - C:\WINDOWS\system32\s1940.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Remote Selector] C:\PROGRA~1\infra\REMSEL~1.EXE startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Startup: Notmad Manager.lnk = C:\Program Files\Red Chair Software\Notmad Explorer\notmgr.exe
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\system32\s1940.dll/blogimage
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .MTD: C:\Program Files\Internet Explorer\Plugins\npmusicn.dll
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {172C8307-DCA8-11D2-85FA-00105A9A29D2} (GSShellCtrl Class) - file://D:\develop\gsdev\GSWeb\controls\GSShell.dll
O16 - DPF: {17AA9E40-0D3D-11D3-B73B-00A0C9EE1B35} (MonitorCtrl Class) - file://D:\develop\gsdev\GSWeb\controls\GSMonitorX.dll
O16 - DPF: {182D18A0-0ECC-11D3-BE33-00105A9A29EB} (GSAlphaLedX Class) - file://D:\develop\gsdev\GSWeb\controls\GSAlphaLed.dll
O16 - DPF: {212987B1-06F5-11D3-B737-00A0C9EE1B35} (GSATX38PrintXCtrl Class) - file://D:\develop\gsdev\GSWeb\controls\GSATX38PrintX.dll
O16 - DPF: {31932A5C-9234-4377-A920-72E7DD340DB4} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://secure.vnsny.org/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {5D54EBC0-3959-11D3-B773-00A0C9EE1B35} (GsUtil Class) - file://D:\develop\gsdev\GSWeb\controls\GSUtil.dll
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host.oddcast.com/hostClientIE.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D31DAAC7-F742-11D2-8622-00105A9A29D2} (GSKdmCardXCtl Class) - file://D:\develop\gsdev\GSWeb\controls\GSKdmCardX.dll
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = domain.local
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe
===============================

Tried fixwareout again, but still get:
Bad command or file name
Bad command or file name
Bad command or file name
Bad command or file name
Bad command or file name
Bad command or file name
Unsupported Windows version

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:08 AM

Posted 07 August 2006 - 06:34 PM

Your log is clean! :thumbsup:


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:flowers: :huh:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 wormsmeal

wormsmeal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 07 August 2006 - 10:28 PM

Thank you very much for all your help. I have made a small donation for your efforts.

Thank you for not making worm's meat out of me.

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:08 AM

Posted 07 August 2006 - 11:11 PM

Thank you for the donation! :thumbsup:
I'm glad I could help.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:08 AM

Posted 23 August 2006 - 07:48 AM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users