Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Surf Side Kick 3


  • This topic is locked This topic is locked
13 replies to this topic

#1 Crystal58415

Crystal58415

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 14 August 2006 - 10:55 AM

I've been infected with surfsidekick3 again! The first time it happened I had no trouble getting rid of it myself, this time not so lucky. I have XoftSpy and it will get rid of it temporarily, only to have it come back and infect my computer with other programs like AlcanA. Here is a copy of my Hijackthis log. Any help would be greatly appreciated. Thank you. ~Crystal

Logfile of HijackThis v1.99.1
Scan saved at 11:53:26 AM, on 8/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\RHVkZQ\command.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\hhtpezw.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\GE\97769 Dual Scroll Optical Mouse\Amoumain.exe
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\dfndrff_9.exe
C:\WINDOWS\system32\wfxqhv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\hhtpezwA.exe
C:\WINDOWS\system32\zqskw.exe
C:\Program Files\Swkehz\Etgw.exe
C:\WINDOWS\system32\redistributor.exe
C:\Program Files\Common Files\{24644BA4-0AEF-1033-0208-041025200001}\Update.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\aim\aim.exe
C:\PROGRA~1\COMMON~1\rmqf\rmqfm.exe
C:\Program Files\PSLister\PSLister.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\COMMON~1\rmqf\rmqfa.exe
C:\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\chweq.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ndeibgq.exe
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\system32\xeymi.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [defender] C:\\dfndrff_9.exe
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\system32\wfxqhv.exe"
O4 - HKLM\..\Run: [w02b222c.dll] RUNDLL32.EXE w02b222c.dll,I2 000a0f13002b222c
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\swintpex.exe CORN003
O4 - HKLM\..\Run: [hhtpezwA] C:\WINDOWS\hhtpezwA.exe
O4 - HKLM\..\Run: [Fhmzcs] C:\Program Files\Swkehz\Etgw.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [rmqf] C:\PROGRA~1\COMMON~1\rmqf\rmqfm.exe
O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe"
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\swintpex.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet7_22.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\ir6ql5j51.dll (file missing)
O20 - Winlogon Notify: DH - C:\WINDOWS\system32\enj2l11o1.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: logons - C:\WINDOWS\system32\redist1.dll
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\o4480ehueh480.dll (file missing)
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\i406leds1h06.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RHVkZQ\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\hhtpezw.exe

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:20 AM

Posted 14 August 2006 - 12:47 PM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Your system is terribly infected. The problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show. Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution. So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

Due to the status of some of the files you have on your computer, I strongly recommend that you do the following immediately. Disconnect the infected computer from the internet until the computer can be cleaned. From a clean computer, change all your online passwords-- for email, for banks, eBay, forums etc.... Do not change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information.

1) Click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

Command Service
Network Monitor
Windows Overlay Components


2) Download Brute Force Uninstaller.
Unzip it to a folder of itís own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script ( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

3) Please download Look2Me-Destroyer from here to your desktop.
Close all programs before continuing.
Double-click Look2Me-Destroyer.exe icon to run it.
Put a check next to "Run this program as a task".
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click "OK"
When Look2Me-Destroyer re-opens, click the "Scan for L2M" button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the "Remove L2M" button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message - Done removing infected files....., click OK.
After the restart, please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
Note, if Look2Me-Destroyer does not reopen automatically, reboot and try again.

4) Please download, install, and update Ewido anti-spyware
Load Ewido and then click the Update tab at the top.
Under Manual Update click Start update.

After the update finishes (the status bar at the bottom will display "Update successful")
Then click on the Scanner tab at the top.
Click the "Settings" tab and then change the recommended action to Quarantine.
Click Automatically generate report after every scan.
Click back to the "Scan" tab and then click on Complete System Scan.
This scan can take quite a while to run, so be prepared.
Ewido will list any infections found on the left hand side.

When the scan has finished, it will automatically set the recommended action.
Click the Apply all actions button.
Ewido will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As".
This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Close Ewido and reboot!! I need the log later.

Please post back with:
1) The ewido log
2) The look2me log
3) A new Hijackthis log

David

#3 Crystal58415

Crystal58415
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 15 August 2006 - 03:56 PM

David,
Thanks for the reply! I cannot get Ewido to run on my computer. I ran it yesterday and at the very end of the scan, it froze and today I can't even get the program to start. But everything else you suggested went fine. Here are the logs you requested for Look2ME and a new Hijack this file. ~Crystal

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 8/14/2006 2:38:26 PM

Infected! C:\WINDOWS\system32\ir6ql5j51.dll
Infected! C:\WINDOWS\system32\o4480ehueh480.dll
Infected! C:\WINDOWS\system32\i406leds1h06.dll
Infected! C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP799\A0177187.dll
Infected! C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP801\A0177281.dll
Infected! C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP801\A0177292.dll
Infected! C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP801\A0177299.dll
Infected! C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP801\A0177326.dll
Infected! C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP801\A0177330.dll
Infected! C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP801\A0178329.dll
Infected! C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP802\A0178361.dll
Infected! C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP803\A0178395.dll
Infected! C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP803\A0178425.dll
Infected! C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP803\A0178430.dll
Infected! C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP803\A0178431.dll
Infected! C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP803\A0178435.dll
Infected! C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP805\A0178615.dll
Infected! C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP805\A0178653.dll
Infected! C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP805\A0178654.dll
Infected! C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP805\A0178655.dll
Infected! C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP805\A0178659.dll
Infected! C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP806\A0178679.dll
Infected! C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP806\A0178683.dll
Infected! C:\WINDOWS\system32\c6002gdmg60a2.dll
Infected! C:\WINDOWS\system32\d6j00g1me6.dll
Infected! C:\WINDOWS\system32\dfvoice.dll
Infected! C:\WINDOWS\system32\enj2l11o1.dll
Infected! C:\WINDOWS\system32\fp4s03h7e.dll
Infected! C:\WINDOWS\system32\icsetup.dll
Infected! C:\WINDOWS\system32\iiencode.dll
Infected! C:\WINDOWS\system32\irj6l51s1.dll
Infected! C:\WINDOWS\system32\kfdgae.dll
Infected! C:\WINDOWS\system32\lmkrn11n.dll
Infected! C:\WINDOWS\system32\mdctfp.dll
Infected! C:\WINDOWS\system32\mnexch40.dll
Infected! C:\WINDOWS\system32\mxiole32.dll
Infected! C:\WINDOWS\system32\p4n8le5u1h.dll
Infected! C:\WINDOWS\system32\qyvd.dll
Infected! C:\WINDOWS\system32\sixcoins.dll
Infected! C:\WINDOWS\system32\ssayerxp.dll
Infected! C:\WINDOWS\system32\ulbui.dll
Infected! C:\WINDOWS\system32\whapi.dll
Infected! C:\WINDOWS\system32\wI2time.dll
Infected! C:\WINDOWS\system32\wrd_ci.dll

Attempting to delete infected files...

Attempting to delete: C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP799\A0177187.dll
C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP799\A0177187.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP801\A0177281.dll
C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP801\A0177281.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP801\A0177292.dll
C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP801\A0177292.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP801\A0177299.dll
C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP801\A0177299.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP801\A0177326.dll
C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP801\A0177326.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP801\A0177330.dll
C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP801\A0177330.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP801\A0178329.dll
C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP801\A0178329.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP802\A0178361.dll
C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP802\A0178361.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP803\A0178395.dll
C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP803\A0178395.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP803\A0178425.dll
C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP803\A0178425.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP803\A0178430.dll
C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP803\A0178430.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP803\A0178431.dll
C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP803\A0178431.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP803\A0178435.dll
C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP803\A0178435.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP805\A0178615.dll
C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP805\A0178615.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP805\A0178653.dll
C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP805\A0178653.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP805\A0178654.dll
C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP805\A0178654.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP805\A0178655.dll
C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP805\A0178655.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP805\A0178659.dll
C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP805\A0178659.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP806\A0178679.dll
C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP806\A0178679.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP806\A0178683.dll
C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP806\A0178683.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\c6002gdmg60a2.dll
C:\WINDOWS\system32\c6002gdmg60a2.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\d6j00g1me6.dll
C:\WINDOWS\system32\d6j00g1me6.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dfvoice.dll
C:\WINDOWS\system32\dfvoice.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\enj2l11o1.dll
C:\WINDOWS\system32\enj2l11o1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\fp4s03h7e.dll
C:\WINDOWS\system32\fp4s03h7e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\icsetup.dll
C:\WINDOWS\system32\icsetup.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\iiencode.dll
C:\WINDOWS\system32\iiencode.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\irj6l51s1.dll
C:\WINDOWS\system32\irj6l51s1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\kfdgae.dll
C:\WINDOWS\system32\kfdgae.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lmkrn11n.dll
C:\WINDOWS\system32\lmkrn11n.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mdctfp.dll
C:\WINDOWS\system32\mdctfp.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mnexch40.dll
C:\WINDOWS\system32\mnexch40.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mxiole32.dll
C:\WINDOWS\system32\mxiole32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\p4n8le5u1h.dll
C:\WINDOWS\system32\p4n8le5u1h.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\qyvd.dll
C:\WINDOWS\system32\qyvd.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\sixcoins.dll
C:\WINDOWS\system32\sixcoins.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ssayerxp.dll
C:\WINDOWS\system32\ssayerxp.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ulbui.dll
C:\WINDOWS\system32\ulbui.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\whapi.dll
C:\WINDOWS\system32\whapi.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\wI2time.dll
C:\WINDOWS\system32\wI2time.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\wrd_ci.dll
C:\WINDOWS\system32\wrd_ci.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Syncmgr
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Unimodem

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B1BD8726-E6F5-46EF-8A34-85D0025F07B4}"
HKCR\Clsid\{B1BD8726-E6F5-46EF-8A34-85D0025F07B4}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0DF849C8-3D64-4BB6-BC54-F78B38C4AB70}"
HKCR\Clsid\{0DF849C8-3D64-4BB6-BC54-F78B38C4AB70}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded





Logfile of HijackThis v1.99.1
Scan saved at 4:54:42 PM, on 8/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\GE\97769 Dual Scroll Optical Mouse\Amoumain.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\{24644BA4-0AEF-1033-0208-041025200001}\Update.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\aim\aim.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\chweq.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ndeibgq.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [w02b222c.dll] RUNDLL32.EXE w02b222c.dll,I2 000a0f13002b222c
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\swintpex.exe CORN003
O4 - HKLM\..\Run: [hhtpezwA] C:\WINDOWS\hhtpezwA.exe
O4 - HKLM\..\Run: [Fhmzcs] C:\Program Files\Swkehz\Etgw.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [NwCplMonitor] C:\WINDOWS\system32\redistributor.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [rmqf] C:\PROGRA~1\COMMON~1\rmqf\rmqfm.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\swintpex.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet7_22.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: DH - C:\WINDOWS\system32\enj2l11o1.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: logons - C:\WINDOWS\system32\redist1.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\hhtpezw.exe (file missing)

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:20 AM

Posted 15 August 2006 - 04:22 PM

Ok, that's fine so far.
Don't worry about the Ewido scan for now.

The way I like to work these logs is take an infection at a time, so it might take slightly longer.
Don't expect the system to be running perfectly after completing the following,
We still have a handful of hidden files/folders and leftovers to tackle in the next stage..

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Open notepad and copy and paste next in it:

sc delete "Windows Overlay Components "

Save this as fix.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick fix.bat and let the program run.

This following step will work if you follow the instructions carefully.
Please download LSPfix and save it to the Desktop and unzip it.
Run LSPfix and place a check against the I know what I am doing checkbox.
Highlight every instance of newdotnet6_38.dll and move it from the Keep to the Remove panel, if not already there.
Be sure to move nothing other than the files listed below; because otherwise you will loose your internet connection!
When done, click on Finish to exit the program; do not use the X in the top right-hand corner as nothing will happen!
Reboot.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\chweq.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ndeibgq.exe
O4 - HKLM\..\Run: [w02b222c.dll] RUNDLL32.EXE w02b222c.dll,I2 000a0f13002b222c
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\swintpex.exe CORN003
O4 - HKLM\..\Run: [hhtpezwA] C:\WINDOWS\hhtpezwA.exe
O4 - HKLM\..\Run: [Fhmzcs] C:\Program Files\Swkehz\Etgw.exe
O4 - HKLM\..\Run: [NwCplMonitor] C:\WINDOWS\system32\redistributor.exe
O4 - HKCU\..\Run: [rmqf] C:\PROGRA~1\COMMON~1\rmqf\rmqfm.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\swintpex.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O20 - Winlogon Notify: DH - C:\WINDOWS\system32\enj2l11o1.dll (file missing)
O20 - Winlogon Notify: logons - C:\WINDOWS\system32\redist1.dll (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\hhtpezw.exe (file missing)


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\system32\chweq.exe
C:\WINDOWS\system32\ndeibgq.exe
C:\WINDOWS\system32\w02b222c.dll
C:\WINDOWS\system32\swintpex.exe
C:\WINDOWS\hhtpezwA.exe
C:\Program Files\Swkehz\Etgw.exe
C:\WINDOWS\system32\redistributor.exe
C:\Program Files\Common Files\rmqf\rmqfm.exe
C:\WINDOWS\system32\swintpex.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Then find and delete the following folders if present:
C:\Program Files\Swkehz
C:\Program Files\Common Files\rmqf

Run HijackThis.
On the first menu, click Open the Misc Tools Section
Click Open Uninstall Manager
Click Save List - Save it anywhere.
A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Also post the uninstall list.

David

#5 Crystal58415

Crystal58415
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 15 August 2006 - 06:27 PM

Ok, i'm on the last step...Combofix. I ran it and it stopped on "performing supplementary fixes". No log has popped up. How long does it take?

#6 Crystal58415

Crystal58415
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 15 August 2006 - 06:29 PM

Also, when running Killbox, it stated "Pending File Rename Operations". Just letting you know :thumbsup:

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:20 AM

Posted 16 August 2006 - 03:12 AM

Ok, skip Combofix for now and complete the rest of the instructions. :thumbsup:
David

#8 Crystal58415

Crystal58415
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 16 August 2006 - 09:31 PM

Uninstall List:

Adobe Reader 7.0.8
AOL Instant Messenger
BigFix
CC_ccStart
ccCommon
Command
CompuServe
Diablo II
Fruity Loops Studio 4.1
GE 97769 Dual Scroll Optical Mouse
Google Earth
HijackThis 1.99.1
iMesh
Intel® Extreme Graphics Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet
Internet Explorer Q903235
iPod for Windows 2005-09-23
iTunes
J2SE Runtime Environment 5.0 Update 6
Learn2 Player (Uninstall Only)
Lexmark Photo Center
Lexmark Z700-P700 Series
LiveReg (Symantec Corporation)
LiveUpdate 1.90 (Symantec Corporation)
Macromedia Shockwave Player
Majesty - Gold Edition
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft Works 6.0
Mozilla Firefox (1.5.0.6)
MSRedist
Network Monitor
Norton AntiVirus 2004
Norton AntiVirus 2004 (Symantec Corporation)
Norton AntiVirus Parent MSI
PartyPoker
PMP DV
PowerDVD
QuickTime
RealPlayer
Realtek AC'97 Audio
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Sierra Utilities
Snood for Windows version 3.52-W
SoftV92 Data Fax Modem with SmartCP
Starcraft
Symantec Script Blocking Installer
SymNet
The Sims 2
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Web Savings from Ebates
Windows Backup Utility
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Overlay Components
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinZip
Worms Armageddon
XoftSpySE


Logfile of HijackThis v1.99.1
Scan saved at 10:31:09 PM, on 8/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\GE\97769 Dual Scroll Optical Mouse\Amoumain.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\Common Files\{24644BA4-0AEF-1033-0208-041025200001}\Update.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\aim\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:20 AM

Posted 17 August 2006 - 04:48 AM

Hello there,

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

I see you have Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

Command
Network Monitor
Web Savings from Ebates
Windows Overlay Components


Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

C:\Program Files\Common Files\{24644BA4-0AEF-1033-0208-041025200001}\Update.exe

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say Yes.

After the reboot search and delete this folder:
C:\Program Files\Common Files\{24644BA4-0AEF-1033-0208-041025200001}

Please download Ad-Aware SE Personal and install it.
If you already have Ad-Aware SE, please configure it as indicated below.
If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

Run Ad-Aware, and click Check for updates now.
Select Configurations (click the Gear wheel at the top) as follows:
General Button > Safety & Settings > Check (Green) all three.
Tweak Button > Cleaning Engine > uncheck "Always try to unload modules before deletion".
Click Proceed.

To start the scan, Click > "Scan Now" at left.
Select "Search for low-risk threats".
Select "Perform full system scan".
Click "Next".

When the scan has completed, select Next.
In the Scanning Results window, select the "Critical Objects" tab.
Right-click on the screen and choose "Select all objects".
Click Next to remove the infections found, and click OK to the prompt.
Restart the computer.

Download GMER from Here
Right Click the Zip and Select "Extract All"
Double Click gmer.exe to launch the program.
Click on the Rootkit Tab and then click Scan.
It takes a while to run, once complete, copy the results to notepad and save them somewhere safe.
Post those results in the next reply.
Also try combofix again and let me know what happens.

David

#10 Crystal58415

Crystal58415
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 21 August 2006 - 11:32 AM

Start Time= Mon 08/21/2006 12:01:23.51
Running from: C:\Documents and Settings\Dude\Desktop

QuickScan did not find any signs of infected files

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\igfxcui
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon\Settings
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REGISTRY ENTRIES REMOVED:

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\SYSTEM32\WTVADVE.DLL


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

19:32:46.48

* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-08-12 18:27:52 48,167 "C:\WINDOWS\system32\VSL05.exe"
2006-06-26 13:37:10 148,480 "C:\WINDOWS\system32\dnsapi.dll"
2006-06-23 07:02:50 55,808 "C:\WINDOWS\system32\extmgr.dll"
2006-06-23 07:02:50 96,256 "C:\WINDOWS\system32\inseng.dll"
2006-07-28 07:28:54 3,054,080 "C:\WINDOWS\system32\mshtml.dll"
2006-06-23 07:02:52 532,480 "C:\WINDOWS\system32\mstime.dll"
2006-07-25 16:33:40 613,888 "C:\WINDOWS\system32\urlmon.dll"
2006-06-19 16:19:26 304,944 "C:\WINDOWS\system32\WgaTray.exe"
2006-06-23 07:02:50 151,040 "C:\WINDOWS\system32\cdfview.dll"
2006-06-23 07:02:50 357,888 "C:\WINDOWS\system32\dxtmsft.dll"
2006-06-23 07:02:50 205,312 "C:\WINDOWS\system32\dxtrans.dll"
2006-06-23 07:02:50 251,392 "C:\WINDOWS\system32\iepeers.dll"
2006-06-01 14:47:08 163,840 "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 14:47:08 27,648 "C:\WINDOWS\system32\jgpl400.dll"
2006-05-18 01:24:26 450,560 "C:\WINDOWS\system32\jscript.dll"
2006-06-23 07:02:50 16,384 "C:\WINDOWS\system32\jsproxy.dll"
2006-06-23 07:02:52 39,424 "C:\WINDOWS\system32\pngfilt.dll"
2006-06-23 07:02:52 1,494,016 "C:\WINDOWS\system32\shdocvw.dll"
2006-07-13 09:33:28 8,453,632 "C:\WINDOWS\system32\shell32.dll"
2006-06-23 07:02:52 474,112 "C:\WINDOWS\system32\shlwapi.dll"
2006-06-23 07:02:52 658,944 "C:\WINDOWS\system32\wininet.dll"
2006-08-12 17:34:10 234,272 "C:\WINDOWS\system32\WTVADVE.DLL"
2006-06-23 07:02:50 1,054,208 "C:\WINDOWS\system32\danim.dll"
2006-07-21 04:24:44 72,704 "C:\WINDOWS\system32\hlink.dll"


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *




DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-19 16:19:26 304,944 "C:\WINDOWS\system32\WgaTray.exe"
2006-08-12 18:27:52 48,167 "C:\WINDOWS\system32\VSL05.exe"
2006-06-23 07:02:50 151,040 "C:\WINDOWS\system32\cdfview.dll"
2006-06-23 07:02:50 357,888 "C:\WINDOWS\system32\dxtmsft.dll"
2006-06-23 07:02:50 205,312 "C:\WINDOWS\system32\dxtrans.dll"
2006-06-23 07:02:50 251,392 "C:\WINDOWS\system32\iepeers.dll"
2006-06-01 14:47:08 163,840 "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 14:47:08 27,648 "C:\WINDOWS\system32\jgpl400.dll"
2006-05-18 01:24:26 450,560 "C:\WINDOWS\system32\jscript.dll"
2006-06-23 07:02:50 16,384 "C:\WINDOWS\system32\jsproxy.dll"
2006-06-23 07:02:52 39,424 "C:\WINDOWS\system32\pngfilt.dll"
2006-06-23 07:02:52 1,494,016 "C:\WINDOWS\system32\shdocvw.dll"
2006-07-13 09:33:28 8,453,632 "C:\WINDOWS\system32\shell32.dll"
2006-06-23 07:02:52 474,112 "C:\WINDOWS\system32\shlwapi.dll"
2006-06-23 07:02:52 658,944 "C:\WINDOWS\system32\wininet.dll"
2006-06-26 13:37:10 148,480 "C:\WINDOWS\system32\dnsapi.dll"
2006-06-23 07:02:50 55,808 "C:\WINDOWS\system32\extmgr.dll"
2006-06-23 07:02:50 96,256 "C:\WINDOWS\system32\inseng.dll"
2006-07-28 07:28:54 3,054,080 "C:\WINDOWS\system32\mshtml.dll"
2006-06-23 07:02:52 532,480 "C:\WINDOWS\system32\mstime.dll"
2006-07-25 16:33:40 613,888 "C:\WINDOWS\system32\urlmon.dll"
2006-06-23 07:02:50 1,054,208 "C:\WINDOWS\system32\danim.dll"
2006-07-21 04:24:44 72,704 "C:\WINDOWS\system32\hlink.dll"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\LocalService\Application Data\NetMon


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-20 23:58:30 528446 ( A.... ) "C:\WINDOWS\gmer.dll"
2006-08-19 17:14:12 ( .D... ) "C:\Program Files\Lavasoft"
2006-08-14 14:54:54 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-08-12 18:31:12 38412 ( A.... ) "C:\WINDOWS\ssqbn.exe"
2006-08-12 18:27:52 48167 ( A.... ) "C:\WINDOWS\system32\VSL05.exe"
2006-08-12 18:27:50 1167 ( A.... ) "C:\WINDOWS\system32\aaa00000.sys"
2006-08-12 18:27:50 1167 ( A.... ) "C:\WINDOWS\system32\aaa00000.sys"
2006-08-10 20:18:18 ( .D... ) "C:\Program Files\Enigma Software Group"
2006-08-10 13:26:06 ( .D... ) "C:\Program Files\Common Files\{24644BA4-0AF0-1033-0208-041025200001}"
2006-08-09 00:18:00 0 ( A.... ) "C:\WINDOWS\ms052740610552006.exe"
2006-08-09 00:02:08 ( .D... ) "C:\Program Files\System Files"
2006-08-08 00:04:48 0 ( A.... ) "C:\Documents and Settings\Dude\Application Data\internaldb41.dat"
2006-08-08 00:04:40 903 ( A.... ) "C:\WINDOWS\system32\winpfg32.sys"
2006-08-08 00:04:40 903 ( A.... ) "C:\WINDOWS\system32\winpfg32.sys"
2006-08-08 00:04:12 ( .D... ) "C:\Program Files\PSLister"
2006-08-08 00:04:08 61952 ( A.... ) "C:\WINDOWS\system32\aaa00000.dll"
2006-08-08 00:04:04 235134 ( A.... ) "C:\WINDOWS\srvtgbkjip.exe"
2006-08-08 00:04:04 184829 ( A.... ) "C:\WINDOWS\srvxqvqcjh.exe"
2006-08-08 00:04:04 ( .D... ) "C:\Program Files\PSHope"
2006-08-08 00:03:26 ( .D... ) "C:\Program Files\System Icons"
2006-08-01 11:06:52 ( .D... ) "C:\Documents and Settings\Dude\Application Data\Leadertech"
2006-08-01 01:43:46 ( .D... ) "C:\Documents and Settings\Dude\Application Data\AdobeAUM"
2006-08-01 01:43:44 ( .D... ) "C:\Documents and Settings\Dude\Application Data\AdobeUM"
2006-07-27 09:24:46 679424 ( A.... ) "C:\WINDOWS\system32\inetcomm.dll"
2006-07-21 04:24:44 72704 ( A.... ) "C:\WINDOWS\system32\hlink.dll"
2006-07-14 11:31:40 332288 ( A.... ) "C:\WINDOWS\system32\netapi32.dll"
2006-07-13 09:33:28 8453632 ( A.... ) "C:\WINDOWS\system32\shell32.dll"
2006-07-05 06:55:02 984064 ( A.... ) "C:\WINDOWS\system32\kernel32.dll"
2006-06-28 19:35:46 ( .D... ) "C:\Documents and Settings\Dude\Application Data\Google"
2006-06-28 19:35:34 ( .D... ) "C:\Program Files\Google"
2006-06-26 13:37:10 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-06-26 13:37:10 8192 ( A.... ) "C:\WINDOWS\system32\rasadhlp.dll"
2006-06-23 11:22:08 9216 ( A.... ) "C:\WINDOWS\fubd.dll"
2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-06 20:49:18 745531 ( A.... ) "C:\WINDOWS\gmer.exe"
2005-12-05 19:28:30 3673932 ( ..... ) "C:\Program Files\Dec2005_MDX1_x86_Archive.cab"
2005-12-05 19:28:04 1358864 ( ..... ) "C:\Program Files\Dec2005_d3dx9_28_x64.cab"
2005-12-05 19:28:02 86925 ( ..... ) "C:\Program Files\Oct2005_xinput_x64.cab"
2005-12-05 19:28:02 46247 ( ..... ) "C:\Program Files\Oct2005_xinput_x86.cab"
2005-12-05 19:28:02 41888 ( ..... ) "C:\Program Files\dxdllreg_x86.cab"
2005-12-05 19:28:00 916806 ( ..... ) "C:\Program Files\Dec2005_MDX1_x86.cab"
2005-12-05 19:27:58 1080344 ( ..... ) "C:\Program Files\Dec2005_d3dx9_28_x86.cab"
2005-12-05 19:00:46 2247888 ( ..... ) "C:\Program Files\dsetup32.dll"
2005-12-05 19:00:46 484560 ( ..... ) "C:\Program Files\DXSETUP.exe"
2005-12-05 19:00:46 81092 ( ..... ) "C:\Program Files\dxupdate.cab"
2005-12-05 19:00:46 74448 ( ..... ) "C:\Program Files\DSETUP.dll"
2005-12-05 19:00:44 1351430 ( ..... ) "C:\Program Files\Aug2005_d3dx9_27_x64.cab"
2005-12-05 19:00:44 1348242 ( ..... ) "C:\Program Files\Apr2005_d3dx9_25_x64.cab"
2005-12-05 19:00:44 1336890 ( ..... ) "C:\Program Files\Jun2005_d3dx9_26_x64.cab"
2005-12-05 19:00:44 1248387 ( ..... ) "C:\Program Files\Feb2005_d3dx9_24_x64.cab"
2005-12-05 19:00:44 1079850 ( ..... ) "C:\Program Files\Apr2005_d3dx9_25_x86.cab"
2005-12-05 19:00:44 1078532 ( ..... ) "C:\Program Files\Aug2005_d3dx9_27_x86.cab"
2005-12-05 19:00:44 1065813 ( ..... ) "C:\Program Files\Jun2005_d3dx9_26_x86.cab"
2005-12-05 19:00:44 1014113 ( ..... ) "C:\Program Files\Feb2005_d3dx9_24_x86.cab"
2005-12-05 19:00:42 13265040 ( ..... ) "C:\Program Files\dxnt.cab"
2005-12-05 19:00:40 15493481 ( ..... ) "C:\Program Files\DirectX.cab"
2005-12-05 19:00:40 1156363 ( ..... ) "C:\Program Files\BDANT.cab"
2005-12-05 19:00:40 976020 ( ..... ) "C:\Program Files\BDAXP.cab"
2005-12-05 19:00:40 703080 ( ..... ) "C:\Program Files\BDA.cab"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-20 23:58 745,531 C:\WINDOWS\gmer.exe
2006-08-20 23:58 528,446 C:\WINDOWS\gmer.dll
2006-08-12 18:31 38,412 C:\WINDOWS\ssqbn.exe
2006-08-09 00:17 0 C:\WINDOWS\ms052740610552006.exe
2006-08-08 00:04 903 C:\WINDOWS\system32\winpfg32.sys
2006-08-08 00:04 61,952 C:\WINDOWS\system32\aaa00000.dll
2006-08-08 00:04 48,167 C:\WINDOWS\system32\VSL05.exe
2006-08-08 00:04 235,134 C:\WINDOWS\srvtgbkjip.exe
2006-08-08 00:04 184,829 C:\WINDOWS\srvxqvqcjh.exe
2006-08-08 00:04 1,167 C:\WINDOWS\system32\aaa00000.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Microsoft Works Update Detection"="c:\\Program Files\\Microsoft Works\\WkDetect.exe"
"AIM"="C:\\Program Files\\aim\\aim.exe -cnetwait.odl"
"themonitor"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{24644BA4-0AEF-1033-0208-041025200001}"="\"C:\\Program Files\\Common Files\\{24644BA4-0AEF-1033-0208-041025200001}\\Update.exe\" mc-110-12-0000137"
"{24644BA4-0AF0-1033-0208-041025200001}"="\"C:\\Program Files\\Common Files\\{24644BA4-0AF0-1033-0208-041025200001}\\Update.exe\" mc-110-12-0000140"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableRegistryTools REG_DWORD 0 (0x0)



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\XoftSpySE.job

Completion time: Mon 08/21/2006 12:01:41.51
ComboFix ver 06.07.15/30 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-15.192306.txt
ComboFix.2006-08-15.193153.txt
ComboFix.2006-08-21.120123.txt



GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-21 12:00:21
Windows 5.1.2600 Service Pack 2


---- Modules - GMER 1.0.10 ----

Module \SystemRoot\system32\drivers\kmixer.sys (*** hidden *** ) ED34A000 <-- ROOTKIT !!!

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}

---- EOF - GMER 1.0.10 ----

#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:20 AM

Posted 21 August 2006 - 11:42 AM

Hello there,

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\ssqbn.exe
C:\WINDOWS\system32\VSL05.exe
C:\WINDOWS\system32\aaa00000.sys
C:\WINDOWS\ms052740610552006.exe
C:\WINDOWS\system32\winpfg32.sys
C:\WINDOWS\system32\aaa00000.dll
C:\WINDOWS\srvtgbkjip.exe
C:\WINDOWS\srvxqvqcjh.exe
C:\Documents and Settings\Dude\Application Data\internaldb41.dat


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Please delete this folder:
C:\Program Files\PSHope

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"themonitor"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, copy and paste next in the field:

C:\WINDOWS\fubd.dll

Then click the Send File button below.
Please let me know when you have submitted the file.

Please do the same for the following file:
C:\Windows\system32\drivers\kmixer.sys

Then reboot and post back with a new Hijackthis log.
David

#12 Crystal58415

Crystal58415
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 22 August 2006 - 08:00 PM

I did everything you asked, and heres the hijack this log! :thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 8:58:15 PM, on 8/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\aim\aim.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:20 AM

Posted 23 August 2006 - 04:46 AM

Ok, please delete this file:
C:\WINDOWS\fubd.dll

I see a clean log here :thumbsup:
How do you feel the system is running?

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:20 AM

Posted 03 September 2006 - 03:10 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users