Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ad.bannerconnect, Winantivirus Pro 2006, Ad -w-a-r-e, Other Popups


  • This topic is locked This topic is locked
7 replies to this topic

#1 jayfortyfive

jayfortyfive

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 10 August 2006 - 09:53 PM

Logfile of HijackThis v1.99.1
Scan saved at 10:45:48 PM, on 8/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\COMMON~1\SSTEM~1\chkdsk.exe
C:\WINDOWS\System32\zqskw.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.711.1664\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.portal.radford.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.portal.radford.edu/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Printer Spooler] C:\WINDOWS\system32\103.tmp
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\System32\wfxqhv.exe"
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gorilwp] C:\PROGRA~1\FNTS~1\wuaclt.exe
O4 - HKCU\..\Run: [Ncao] "C:\PROGRA~1\COMMON~1\SSTEM~1\chkdsk.exe" -vt yazr
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://vram5.vcu.edu/iNotes6W.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155235882542
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155235871016
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\System32\xeymi.dll
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\p66slgj716o.dll
O21 - SSODL: uJsnptYJ - {D4E07D7B-7E4A-D7D1-FA33-E4E6B406418F} - C:\WINDOWS\System32\nmdag.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)

BC AdBot (Login to Remove)

 


m

#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:07 PM

Posted 11 August 2006 - 05:59 AM

Hello and welcome :thumbsup:

First of all, you don't seem to have an Anti-virus client running. This is extremely important.

Please get the free version of AVG.

Download & install it, configure it how you wish, update it. Next, run a scan with it (set it to scan everything it can). Remove/quarantine everything found. Reboot.

----

Next....

Download Combofix to your desktop:
  • Double-click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply. :flowers:
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#3 jayfortyfive

jayfortyfive
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 11 August 2006 - 12:38 PM

Thanks for the help. I scanned with AVG and deleted/quarantined everything it found, rebooted, ran combofix and let it do it's thing, and here's the scan log. (Pretty long :/)

Start Time= Fri 08/11/2006 13:15:52.85
Running from: C:\Documents and Settings\Adam\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{B1D1B6A4-CFCD-4D4A-9487-B74D4088F383}]
@=""

[HKEY_CLASSES_ROOT\clsid\{B1D1B6A4-CFCD-4D4A-9487-B74D4088F383}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{B1D1B6A4-CFCD-4D4A-9487-B74D4088F383}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{B1D1B6A4-CFCD-4D4A-9487-B74D4088F383}\InprocServer32]
@="C:\\WINDOWS\\system32\\meprivs.dll"
"ThreadingModel"="Apartment"

Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

13:18:09.83

* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-07-31 16:03:08 1,163,264 "C:\WINDOWS\system32\riwzkn.exe"
2006-07-20 16:31:36 1,163,264 "C:\WINDOWS\system32\wfxqhv.exe"
2006-08-09 12:07:38 45,056 "C:\WINDOWS\system32\ghynf.exe"
2006-08-10 23:08:28 48,187 "C:\WINDOWS\system32\VSL03.exe"
2006-08-10 18:23:26 48,167 "C:\WINDOWS\system32\VSL05.exe"
2006-08-09 12:10:16 45,056 "C:\WINDOWS\system32\zkdmg.exe"
2006-07-20 16:31:24 36,864 "C:\WINDOWS\system32\zqskw.exe"
2006-08-10 23:08:40 32,768 "C:\WINDOWS\system32\WinDmy.dll"
2006-07-31 16:01:30 159,744 "C:\WINDOWS\system32\ekuxpv3.exe"
2006-08-11 11:45:38 1,150,976 "C:\WINDOWS\system32\rlvknlg.exe"
2006-08-10 23:26:42 2 "C:\WINDOWS\system32\wnstsit.exe"
2006-08-10 23:25:36 81,920 "C:\WINDOWS\system32\chkntfs.dll"
2006-08-11 11:45:40 8,464 "C:\WINDOWS\system32\sporder.dll"
2006-08-10 23:08:40 303,104 "C:\WINDOWS\system32\WinNB57.dll"
2006-08-09 12:07:40 221,184 "C:\WINDOWS\system32\xeymi.dll"


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *




DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-07-31 16:01:30 159,744 "C:\WINDOWS\system32\ekuxpv3.exe"
2006-08-11 11:45:38 1,150,976 "C:\WINDOWS\system32\rlvknlg.exe"
2006-08-10 23:26:42 2 "C:\WINDOWS\system32\wnstsit.exe"
2006-07-31 16:03:08 1,163,264 "C:\WINDOWS\system32\riwzkn.exe"
2006-07-20 16:31:36 1,163,264 "C:\WINDOWS\system32\wfxqhv.exe"
2006-08-09 12:07:38 45,056 "C:\WINDOWS\system32\ghynf.exe"
2006-08-10 23:08:28 48,187 "C:\WINDOWS\system32\VSL03.exe"
2006-08-10 18:23:26 48,167 "C:\WINDOWS\system32\VSL05.exe"
2006-08-09 12:10:16 45,056 "C:\WINDOWS\system32\zkdmg.exe"
2006-07-20 16:31:24 36,864 "C:\WINDOWS\system32\zqskw.exe"
2006-08-10 23:25:36 81,920 "C:\WINDOWS\system32\chkntfs.dll"
2006-08-11 11:45:40 8,464 "C:\WINDOWS\system32\sporder.dll"
2006-08-10 23:08:40 303,104 "C:\WINDOWS\system32\WinNB57.dll"
2006-08-10 23:08:40 32,768 "C:\WINDOWS\system32\WinDmy.dll"
2006-08-09 12:07:40 221,184 "C:\WINDOWS\system32\xeymi.dll"


(((((((((((((((((((((((((((((((((((((((((((((((( Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\repairs303169590.dll
C:\Documents and Settings\Adam\Application Data\Sskknwrd.dll
C:\Documents and Settings\Adam\Application Data\Sskuknwrd.dll
C:\Documents and Settings\Adam\Local Settings\Temp\SskUpdater3.exe
C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Ssk.log
C:\Program Files\SurfSideKick 3\Ssk.exe
C:\Program Files\SurfSideKick 3\SskBho.dll
C:\Program Files\SurfSideKick 3\SskCore.dll
C:\WINDOWS\system32\bk.exe


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



13:23:04.19
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\uninstall_nmon.vbs
C:\Program Files\network monitor
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-11 11:55:34 ( .D... ) "C:\Documents and Settings\Adam\Application Data\AVG7"
2006-08-11 11:54:00 ( .D... ) "C:\Program Files\Grisoft"
2006-08-11 11:51:32 245760 ( A.... ) "C:\WINDOWS\system32\cemetrix.dll"
2006-08-11 11:45:40 8464 ( A.... ) "C:\WINDOWS\system32\sporder.dll"
2006-08-11 11:45:38 1150976 ( A.... ) "C:\WINDOWS\system32\rlvknlg.exe"
2006-08-11 11:45:34 303104 ( A.... ) "C:\WINDOWS\system32\rlls.dll"
2006-08-10 23:26:42 2 ( A.... ) "C:\WINDOWS\system32\wnstsit.exe"
2006-08-10 23:25:36 81920 ( A.... ) "C:\WINDOWS\system32\chkntfs.dll"
2006-08-10 23:08:52 38412 ( A.... ) "C:\WINDOWS\ssqbn.exe"
2006-08-10 23:08:40 303104 ( A.... ) "C:\WINDOWS\system32\WinNB57.dll"
2006-08-10 23:08:40 32768 ( A.... ) "C:\WINDOWS\system32\WinDmy.dll"
2006-08-10 23:08:38 1167 ( A.... ) "C:\WINDOWS\system32\aaa00000.sys"
2006-08-10 23:08:38 1167 ( A.... ) "C:\WINDOWS\system32\aaa00000.sys"
2006-08-10 23:08:36 376832 ( A.... ) "C:\WINDOWS\876057.exe"
2006-08-10 23:08:30 234248 ( A.... ) "C:\WINDOWS\Tagasuarus2.exe"
2006-08-10 23:08:30 29696 ( A.... ) "C:\WINDOWS\system32\w06f1f1d.dll"
2006-08-10 23:08:28 48187 ( A.... ) "C:\WINDOWS\system32\VSL03.exe"
2006-08-10 23:08:28 2560 ( A.... ) "C:\WINDOWS\ac3_0002.exe"
2006-08-10 23:08:24 36864 ( A.... ) "C:\WINDOWS\thiselt.exe"
2006-08-10 19:16:40 ( .D... ) "C:\Program Files\HijackThis"
2006-08-10 18:55:24 1167 ( A.... ) "C:\WINDOWS\system32\xvgcc963.sys"
2006-08-10 18:55:24 1167 ( A.... ) "C:\WINDOWS\system32\xvgcc963.sys"
2006-08-10 18:23:38 61952 ( A.... ) "C:\WINDOWS\system32\aaa00000.dll"
2006-08-10 18:23:26 48167 ( A.... ) "C:\WINDOWS\system32\VSL05.exe"
2006-08-10 18:22:56 29696 ( A.... ) "C:\WINDOWS\system32\w00a1373.dll"
2006-08-10 18:04:10 ( .D... ) "C:\Program Files\CCleaner"
2006-08-10 17:46:42 182272 ( A.... ) "C:\uninstall6_90.exe"
2006-08-10 16:11:52 ( .D... ) "C:\Program Files\XoftSpy"
2006-08-10 16:00:40 ( .D... ) "C:\Program Files\XoftSpySE"
2006-08-09 20:56:58 ( .D... ) "C:\Program Files\Common Files\F?nts"
2006-08-09 20:26:28 ( .D... ) "C:\Program Files\Common Files\s?stem"
2006-08-09 17:02:22 ( .D... ) "C:\Documents and Settings\Adam\Application Data\Lavasoft"
2006-08-09 17:02:10 ( .D... ) "C:\Program Files\Lavasoft"
2006-08-09 16:27:40 ( .D... ) "C:\Documents and Settings\Adam\Application Data\Aim"
2006-08-09 16:03:04 61952 ( A.... ) "C:\WINDOWS\system32\xvgcc963.dll"
2006-08-09 12:19:14 29696 ( A.... ) "C:\WINDOWS\system32\w021fa03.dll"
2006-08-09 12:18:16 ( .D... ) "C:\Program Files\System Files"
2006-08-09 12:17:10 ( .D... ) "C:\Program Files\Common Files\wimz"
2006-08-09 12:10:52 45056 ( A.... ) "C:\WINDOWS\System32zkdmg.exe"
2006-08-09 12:10:52 28672 ( A.... ) "C:\WINDOWS\System32tpsd.exe"
2006-08-09 12:10:16 45056 ( A.... ) "C:\WINDOWS\system32\zkdmg.exe"
2006-08-09 12:10:16 28672 ( A.... ) "C:\WINDOWS\system32\tpsd.exe"
2006-08-09 12:07:40 221184 ( A.... ) "C:\WINDOWS\system32\xeymi.dll"
2006-08-09 12:07:40 45056 ( A.... ) "C:\WINDOWS\System32ghynf.exe"
2006-08-09 12:07:40 28672 ( A.... ) "C:\WINDOWS\System32bez6n4r21.exe"
2006-08-09 12:07:40 28672 ( A.... ) "C:\WINDOWS\system32\iqqr.exe"
2006-08-09 12:07:38 45056 ( A.... ) "C:\WINDOWS\system32\ghynf.exe"
2006-08-09 12:07:38 28672 ( A.... ) "C:\WINDOWS\system32\bez6n4r21.exe"
2006-08-09 12:07:24 57344 ( A.... ) "C:\WINDOWS\cs2m6f.exe"
2006-08-09 12:06:30 139264 ( A.... ) "C:\WINDOWS\MirarSetup_876075.exe"
2006-08-09 12:06:16 359634 ( A.... ) "C:\WINDOWS\media_motor_bundle.exe"
2006-07-31 16:03:08 1163264 ( A.... ) "C:\WINDOWS\system32\riwzkn.exe"
2006-07-31 16:02:56 36864 ( A.... ) "C:\WINDOWS\system32\hauc.exe"
2006-07-31 16:01:30 159744 ( A.... ) "C:\WINDOWS\system32\ekuxpv3.exe"
2006-07-22 18:08:02 18771 ( A.... ) "C:\WINDOWS\installer_252.exe"
2006-07-22 17:55:08 ( .D... ) "C:\Program Files\F?nts"
2006-07-20 16:31:36 1163264 ( A.... ) "C:\WINDOWS\system32\wfxqhv.exe"
2006-07-20 16:31:24 36864 ( A.... ) "C:\WINDOWS\system32\zqskw.exe"
2006-07-17 23:18:14 ( .D... ) "C:\Program Files\Wormhole"
2006-07-12 01:31:14 ( .D... ) "C:\Documents and Settings\Adam\Application Data\SearchToolbarCorp"
2006-07-12 01:30:58 ( .D... ) "C:\Program Files\VSToolbar"
2006-07-12 01:30:56 143380 ( A.... ) "C:\WINDOWS\system32\iannjqws.exe"
2006-06-21 18:38:40 235228 ( A.... ) "C:\WINDOWS\system32\icon_mediamotor.exe"
2006-06-21 18:38:16 115239 ( A.... ) "C:\WINDOWS\system32\ts_mediamotor.exe"
2006-05-23 17:55:14 157696 ( A.... ) "C:\WINDOWS\system32\rmoc3260.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-11 11:51 245,760 C:\WINDOWS\system32\cemetrix.dll
2006-08-11 11:45 8,464 C:\WINDOWS\system32\sporder.dll
2006-08-11 11:45 303,104 C:\WINDOWS\system32\rlls.dll
2006-08-11 11:45 1,150,976 C:\WINDOWS\system32\rlvknlg.exe
2006-08-10 23:26 2 C:\WINDOWS\system32\wnstsit.exe
2006-08-10 23:25 81,920 C:\WINDOWS\system32\chkntfs.dll
2006-08-10 23:08 48,187 C:\WINDOWS\system32\VSL03.exe
2006-08-10 23:08 376,832 C:\WINDOWS\876057.exe
2006-08-10 23:08 36,864 C:\WINDOWS\thiselt.exe
2006-08-10 23:08 32,768 C:\WINDOWS\system32\WinDmy.dll
2006-08-10 23:08 303,104 C:\WINDOWS\system32\WinNB57.dll
2006-08-10 23:08 29,696 C:\WINDOWS\system32\w06f1f1d.dll
2006-08-10 23:08 234,248 C:\WINDOWS\Tagasuarus2.exe
2006-08-10 23:08 2,560 C:\WINDOWS\ac3_0002.exe
2006-08-10 18:26 38,412 C:\WINDOWS\ssqbn.exe
2006-08-10 18:23 61,952 C:\WINDOWS\system32\aaa00000.dll
2006-08-10 18:23 1,167 C:\WINDOWS\system32\aaa00000.sys
2006-08-10 18:22 29,696 C:\WINDOWS\system32\w00a1373.dll
2006-08-10 17:46 182,272 C:\uninstall6_90.exe
2006-08-10 14:51 465,176 C:\WINDOWS\system32\wuapi.dll
2006-08-10 14:51 41,240 C:\WINDOWS\system32\wups.dll
2006-08-10 14:51 194,328 C:\WINDOWS\system32\wuaueng1.dll
2006-08-10 14:51 18,200 C:\WINDOWS\system32\wups2.dll
2006-08-10 14:51 172,312 C:\WINDOWS\system32\wuauclt1.exe
2006-08-10 14:51 127,256 C:\WINDOWS\system32\wucltui.dll
2006-08-09 16:03 61,952 C:\WINDOWS\system32\xvgcc963.dll
2006-08-09 16:03 1,167 C:\WINDOWS\system32\xvgcc963.sys
2006-08-09 12:21 48,167 C:\WINDOWS\system32\VSL05.exe
2006-08-09 12:19 29,696 C:\WINDOWS\system32\w021fa03.dll
2006-08-09 12:10 45,056 C:\WINDOWS\System32zkdmg.exe
2006-08-09 12:10 45,056 C:\WINDOWS\system32\zkdmg.exe
2006-08-09 12:10 28,672 C:\WINDOWS\System32tpsd.exe
2006-08-09 12:10 28,672 C:\WINDOWS\system32\tpsd.exe
2006-08-09 12:09 36,864 C:\WINDOWS\system32\hauc.exe
2006-08-09 12:09 159,744 C:\WINDOWS\system32\ekuxpv3.exe
2006-08-09 12:09 1,163,264 C:\WINDOWS\system32\riwzkn.exe
2006-08-09 12:07 57,344 C:\WINDOWS\cs2m6f.exe
2006-08-09 12:07 45,056 C:\WINDOWS\System32ghynf.exe
2006-08-09 12:07 45,056 C:\WINDOWS\system32\ghynf.exe
2006-08-09 12:07 36,864 C:\WINDOWS\system32\zqskw.exe
2006-08-09 12:07 28,672 C:\WINDOWS\System32bez6n4r21.exe
2006-08-09 12:07 28,672 C:\WINDOWS\system32\iqqr.exe
2006-08-09 12:07 28,672 C:\WINDOWS\system32\bez6n4r21.exe
2006-08-09 12:07 221,184 C:\WINDOWS\system32\xeymi.dll
2006-08-09 12:07 1,163,264 C:\WINDOWS\system32\wfxqhv.exe
2006-08-09 12:06 359,634 C:\WINDOWS\media_motor_bundle.exe
2006-08-09 12:06 139,264 C:\WINDOWS\MirarSetup_876075.exe
2006-07-22 18:07 18,771 C:\WINDOWS\installer_252.exe
2006-07-12 01:30 143,380 C:\WINDOWS\system32\iannjqws.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"k6mmN5IOU"="\"C:\\WINDOWS\\System32\\wfxqhv.exe\""
"pop06apelt"="C:\\WINDOWS\\thiselt.exe"
"RelevantKnowledge"="c:\\windows\\system32\\rlvknlg.exe -boot"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"areslite"="\"C:\\Program Files\\Ares Lite Edition\\AresLite.exe\" -h"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"themonitor"=""
"Gorilwp"="C:\\PROGRA~1\\FNTS~1\\wuaclt.exe"
"Ncao"="\"C:\\PROGRA~1\\COMMON~1\\SSTEM~1\\chkdsk.exe\" -vt yazr"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\MSN Gaming Zone\\kyhexe.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\MSN\\hofyvyna.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="C:\\Program Files\\Windows NT\\kyhexe.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ec,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
"Source"="C:\\Program Files\\Viewpoint\\hofyvyna.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ee,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,18,01,00,00,00,00,00,00,60,04,00,00,f8,03,00,00,f0,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}"=""


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sscan.sys


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\XoftSpySE.job

Completion time: Fri 08/11/2006 13:23:18.27
ComboFix ver 06.07.15/30 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-11.131552.txt

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:07 PM

Posted 12 August 2006 - 03:13 AM

Alrighty.. Then please rename HijackThis.exe to Scanner.exe. Make sure to run this renamed file next time I need an fresh log. :thumbsup:

Please print these instructions out, or write them down, as you can't read them during the fix.

1. Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Check the Run VundoFix as a task box.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt in your NEXT reply.
---

2. Please download Ewido Anti-spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the setup program.
  • Once the setup is complete you will need run Ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    • If you aren't able to finish the update within Ewido for a reason or another, you can install the manual updates here.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-select "Only if threats were found"
Close Ewido Anti-spyware, DO NOT run a scan just yet, we will shortly.

==

3. Please download Brute Force Uninstaller to your desktop.
  • Right-click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
4. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


==

5. IMPORTANT: Do not open any other windows or programs while Ewido is scanning, it may interfere with the scanning process:
  • Lauch Ewido Anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • Ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close Ewido.
==

6. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by double-clicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let it do itís job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the Complete script execution box to pop up and hit OK.
  • Press Exit to terminate the BFU program.
Reboot into normal Windows and post the contents of Ewido log that you saved along with a fresh HiJackThis log (Scanner.exe) aswell as the contents of the C:\vundofix.txt log. :flowers: You will probably need to post few replies to get it all fit in. Maybe the best way to ensure you get it all would be that you post the Ewido log in it's own reply, then the Vundofix log and the HijackThis log in the reply after Ewido.
Hi there, stranger!

#5 jayfortyfive

jayfortyfive
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 12 August 2006 - 11:49 AM

The results are in! (And will be split in 3 different replies :thumbsup: )

First here is the Scanner.exe (Hijack) log since running the other scans.

Logfile of HijackThis v1.99.1
Scan saved at 12:46:04 PM, on 8/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\atievxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.portal.radford.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.portal.radford.edu/
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O21 - SSODL: uJsnptYJ - {D4E07D7B-7E4A-D7D1-FA33-E4E6B406418F} - C:\WINDOWS\System32\nmdag.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

Here is the Ewido logs.

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:31:09 PM 8/12/2006

+ Scan result:



C:\Program Files\System Files\plugin.dll -> Adware.CASClient : Cleaned.
C:\WINDOWS\system32\nsy32.dll -> Adware.Ezula : Cleaned.
C:\WINDOWS\Downloaded Program Files\SET8D.tmp -> Adware.MediaMotor : Cleaned.
C:\WINDOWS\Downloaded Program Files\amm06.ocx -> Adware.MediaMotor : Cleaned.
C:\uninstall6_90.exe -> Adware.NewDotNet : Cleaned.
C:\Program Files\Fоnts\wuaclt.exe -> Adware.PurityScan : Cleaned.
C:\WINDOWS\system32\rk.bin -> Adware.RK : Cleaned.
C:\WINDOWS\MirarSetup_876075.exe -> Adware.SaveNow : Cleaned.
C:\WINDOWS\System32bez6n4r21.exe -> Adware.SearchAssistant : Cleaned.
C:\WINDOWS\System32ghynf.exe -> Adware.SearchAssistant : Cleaned.
C:\WINDOWS\System32tpsd.exe -> Adware.SearchAssistant : Cleaned.
C:\WINDOWS\System32zkdmg.exe -> Adware.SearchAssistant : Cleaned.
C:\WINDOWS\system32\bez6n4r21.exe -> Adware.SearchAssistant : Cleaned.
C:\WINDOWS\system32\ekuxpv3.exe -> Adware.SearchAssistant : Cleaned.
C:\WINDOWS\system32\ghynf.exe -> Adware.SearchAssistant : Cleaned.
C:\WINDOWS\system32\tpsd.exe -> Adware.SearchAssistant : Cleaned.
C:\WINDOWS\system32\zkdmg.exe -> Adware.SearchAssistant : Cleaned.
C:\Program Files\HijackThis\backups\backup-20060811-145644-400.dll -> Adware.Suggestor : Cleaned.
C:\WINDOWS\system32\hauc.exe -> Adware.Suggestor : Cleaned.
C:\WINDOWS\system32\iqqr.exe -> Adware.Suggestor : Cleaned.
C:\WINDOWS\system32\riwzkn.exe -> Adware.Suggestor : Cleaned.
C:\WINDOWS\system32\xeymi.dll -> Adware.Suggestor : Cleaned.
C:\WINDOWS\system32\zqskw.exe -> Adware.Suggestor : Cleaned.
HKLM\SOFTWARE\Classes\AppID\{4F5E5D72-C915-4f3b-908B-527D064B0FAA} -> Adware.SysProtect : Cleaned.
HKLM\SOFTWARE\Classes\CLSID\{EF130E77-0A34-4365-BFB7-218FD3DDCD5F} -> Adware.SysProtect : Cleaned.
HKLM\SOFTWARE\Classes\Interface\{02946FD1-2D99-46E6-A790-3A089714EDD9} -> Adware.SysProtect : Cleaned.
HKLM\SOFTWARE\Classes\TypeLib\{7EACF70B-302F-4049-AC68-2D62EB43E473} -> Adware.SysProtect : Cleaned.
C:\Documents and Settings\Adam\My Documents\Μicrosoft\tracert.exe -> Downloader.PurityScan.cu : Cleaned.
C:\WINDOWS\system32\ѕуstem\winspool.exe -> Downloader.PurityScan.cu : Cleaned.
C:\WINDOWS\installer_252.exe -> Downloader.Qoologic.at : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\USYP_0001_N76M1005NetInstaller.exe -> Downloader.Small : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\USYP_0001_N76M2004NetInstaller.exe -> Downloader.Small : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\USYP_0001_N76M1005NetInstaller.exe -> Downloader.Small : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\USYP_0001_N76M2004NetInstaller.exe -> Downloader.Small : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\USYP_0001_N76M1005NetInstaller.exe -> Downloader.Small : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\USYP_0001_N76M2004NetInstaller.exe -> Downloader.Small : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\USYP_0001_N76M1005NetInstaller.exe -> Downloader.Small : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\USYP_0001_N76M1005NetInstaller.exe -> Downloader.Small : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\USYP_0001_N76M1005NetInstaller.exe -> Downloader.Small : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\USYP_0001_N76M1005NetInstaller.exe -> Downloader.Small : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\USYP_0001_N76M1005NetInstaller.exe -> Downloader.Small : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.9\USYP_0001_N76M1005NetInstaller.exe -> Downloader.Small : Cleaned.
C:\WINDOWS\Downloaded Program Files\USYP_0001_N76M1005NetInstaller.exe -> Downloader.Small : Cleaned.
C:\WINDOWS\Downloaded Program Files\USYP_0001_N76M2004NetInstaller.exe -> Downloader.Small : Cleaned.
C:\WINDOWS\system32\w00a1373.dll -> Downloader.Small : Cleaned.
C:\WINDOWS\system32\w021fa03.dll -> Downloader.Small : Cleaned.
C:\WINDOWS\system32\w06f1f1d.dll -> Downloader.Small : Cleaned.
C:\WINDOWS\ac3_0002.exe -> Downloader.Small.cyh : Cleaned.
C:\WINDOWS\amm06.ocx -> Downloader.VB.bo : Cleaned.
C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx -> Dropper.PurityScan.ae : Cleaned.
C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\87EZYLKZ\popup[1].htm -> Hijacker.Agent.a : Cleaned.
C:\Program Files\MSN Gaming Zone\kyhexe.html -> Hijacker.Small.jf : Cleaned.
C:\Program Files\MSN\hofyvyna.html -> Hijacker.Small.jf : Cleaned.
C:\Program Files\Windows NT\kyhexe.html -> Hijacker.Small.jf : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX6_0001_N57M0912NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.b : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWFX6_0001_N57M0912NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.b : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWFX6_0001_N57M0912NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.b : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWFX6_0001_N57M0912NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.b : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UWFX6_0001_N57M0912NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.b : Cleaned.
C:\WINDOWS\Downloaded Program Files\UWFX6_0001_N57M0912NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.b : Cleaned.
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N56M1011NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.c : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA6P_0001_N68M2301NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned.
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N68M2301NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned.
C:\WINDOWS\Downloaded Program Files\USYP_0001_N73M0704NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.f : Cleaned.
C:\WINDOWS\Downloaded Program Files\USDR6_0001_D08M0404NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.9\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned.
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@www.adtrak[2].txt -> TrackingCookie.Adtrak : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@www.epilot[1].txt -> TrackingCookie.Epilot : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@reduxads.valuead[1].txt -> TrackingCookie.Valuead : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Adam\Cookies\adam@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.10\USYP_0001_N69M1703NetInstaller.exe -> Trojan.Fakealert : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.11\USYP_0001_N69M1703NetInstaller.exe -> Trojan.Fakealert : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.12\USYP_0001_N69M1703NetInstaller.exe -> Trojan.Fakealert : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.13\USYP_0001_N69M1703NetInstaller.exe -> Trojan.Fakealert : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.14\USYP_0001_N69M1703NetInstaller.exe -> Trojan.Fakealert : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\USYP_0001_N69M1703NetInstaller.exe -> Trojan.Fakealert : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\USYP_0001_N69M1703NetInstaller.exe -> Trojan.Fakealert : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\USYP_0001_N69M1703NetInstaller.exe -> Trojan.Fakealert : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\USYP_0001_N69M1703NetInstaller.exe -> Trojan.Fakealert : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\USYP_0001_N69M1703NetInstaller.exe -> Trojan.Fakealert : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\USYP_0001_N69M1703NetInstaller.exe -> Trojan.Fakealert : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\USYP_0001_N69M1703NetInstaller.exe -> Trojan.Fakealert : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\USYP_0001_N69M1703NetInstaller.exe -> Trojan.Fakealert : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.9\USYP_0001_N69M1703NetInstaller.exe -> Trojan.Fakealert : Cleaned.
C:\WINDOWS\Downloaded Program Files\USYP_0001_N69M1703NetInstaller.exe -> Trojan.Fakealert : Cleaned.
C:\Program Files\Ares Lite Edition\AresLite.exe -> Trojan.Small : Cleaned.


::Report end

#6 jayfortyfive

jayfortyfive
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 12 August 2006 - 11:52 AM

Last but not least, the vundo log.

VundoFix V5.1.7

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.4

Java version is 1.5.0.6

Scan started at 11:38:07 AM 8/12/2006

Listing files found while scanning....

No infected files were found.

#7 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:07 PM

Posted 13 August 2006 - 06:31 AM

Alright then :thumbsup:

Go ahead and uninstall Ewido Anti-spyware and delete VundoFix if you wish.

Please run a scan with HijackThis and check the following object for removal:

O21 - SSODL: uJsnptYJ - {D4E07D7B-7E4A-D7D1-FA33-E4E6B406418F} - C:\WINDOWS\System32\nmdag.dll


Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

---

Download GMER:
  • Unzip it and double-click GMER.exe
  • Click the rootkit-tab and click scan.
  • Once done, click Copy.
  • This will copy the results to clipboard.
  • Paste the results in your next reply.
Then also please rerun Combofix. Post an fresh log from it aswell. :flowers:
Hi there, stranger!

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:07 PM

Posted 30 August 2006 - 09:56 AM

Due to lack of feedback, this thread has been closed. If you're the original poster and need this Topic reopened, please PM a Staff member with the address of this thread.
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users