Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log Plus Other Info. And It Ain't Pretty.


  • This topic is locked This topic is locked
4 replies to this topic

#1 Tom Wade

Tom Wade

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 17 August 2006 - 08:50 AM

having worked through all of the preparation steps that i could, and saving logs, when i could i came up with this.
skip over whichever you may not need, i tried to prioritize.

please help.

hijack this
ewidoresults
activescan
bitfender

Logfile of HijackThis v1.99.1
Scan saved at 3:12:48 AM, on 8/16/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://hklm/
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: localhost 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [oinil.exe] C:\WINDOWS\System32\oinil.exe
O4 - HKLM\..\RunOnce: [Panda_cleaner_296073] C:\WINDOWS\System32\ActiveScan\pavdr.exe xPanda ActiveScan 296073
O4 - HKLM\..\RunOnce: [Panda_cleaner_290716] C:\WINDOWS\System32\ActiveScan\pavdr.exe xPanda ActiveScan 290716
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1129012798000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...642/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{54073110-24A0-4593-A4A8-73ED5C793859}: NameServer = 85.255.116.29,85.255.112.134
O17 - HKLM\System\CCS\Services\Tcpip\..\{61820C7F-1F2D-4EC6-AC52-4AA4C5CE956B}: NameServer = 85.255.116.29,85.255.112.134
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.29 85.255.112.134
O17 - HKLM\System\CS1\Services\Tcpip\..\{54073110-24A0-4593-A4A8-73ED5C793859}: NameServer = 85.255.116.29,85.255.112.134
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.29 85.255.112.134
O20 - Winlogon Notify: fslbpxhf - fslbpxhf.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: xoamefwa - xoamefwa.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe






---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:45:16 PM, 8/15/2006
+ Report-Checksum: 57F62898

+ Scan result:

HKLM\SOFTWARE\Classes\Media-Codec.Chl -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Media-Codec.Chl\CLSID -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\PSGuard.com -> Adware.PSGuard : Error during cleaning
HKLM\SOFTWARE\PSGuard.com\PSGuard -> Adware.PSGuard : Error during cleaning
HKLM\SOFTWARE\PSGuard.com\PSGuard\P.S.Guard -> Adware.PSGuard : Error during cleaning
HKLM\SOFTWARE\PSGuard.com\PSGuard\P.S.Guard\License -> Adware.PSGuard : Cleaned with backup
C:\Documents and Settings\Administrator.D7BGW741\Cookies\administrator@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\ALLISON WADE\Local Settings\Temp\wincfnsgf.exe -> Proxy.Agent.dd : Cleaned with backup
C:\Documents and Settings\ALLISON WADE\Local Settings\Temp\wingvqt.exe -> Proxy.Agent.dd : Cleaned with backup
C:\Documents and Settings\ALLISON WADE\Local Settings\Temp\zz50.exe -> Backdoor.Agent.aba : Cleaned with backup
C:\Documents and Settings\LEAH WADE\Cookies\leah wade@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\LEAH WADE\Cookies\leah wade@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned with backup
C:\Documents and Settings\LEAH WADE\Cookies\leah wade@imgserv.adbutler[1].txt -> TrackingCookie.Adbutler : Cleaned with backup
C:\Documents and Settings\LEAH WADE\Cookies\leah wade@vip2.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\LEAH WADE\Cookies\leah wade@yadro[1].txt -> TrackingCookie.Yadro : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP737\A0115538.dll -> Adware.Virtumonde : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP737\A0115539.dll -> Adware.Virtumonde : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP737\A0115540.dll -> Adware.Virtumonde : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP737\A0115541.dll -> Adware.Virtumonde : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP737\A0115542.dll -> Adware.Virtumonde : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP737\A0115543.dll -> Adware.Virtumonde : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP737\A0115544.dll -> Adware.Virtumonde : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP737\A0115545.dll -> Adware.Virtumonde : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP737\A0115546.dll -> Adware.Virtumonde : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP737\A0115547.dll -> Adware.Virtumonde : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP737\A0115548.exe -> Trojan.Zapchast.ar : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP737\A0115549.dll -> Adware.Virtumonde : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP737\A0115550.dll -> Adware.Virtumonde : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP737\A0115551.dll -> Adware.Couponage : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP737\A0116204.exe -> Adware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP737\A0116205.exe -> Adware.Msnagent : Cleaned with backup


::Report End



Incident Status Location

Virus:W32/Sality.T Disinfected Operating system
Adware:adware/pacimedia Not disinfected c:\windows\system32\APD123.exe
Adware:adware/virtualbouncer Not disinfected c:\windows\system32\INNERADINSTALL.LOG
Adware:adware/iedriver Not disinfected c:\windows\system32\Searchx.htm
Adware:adware/mssearch Not disinfected c:\windows\system32\toolbar.exe
c:\windows\system32\wp.bmp
Adware:adware/ipinsight Not disinfected c:\windows\inf\polall1r.inf
Adware:adware/cws Not disinfected c:\documents and settings\all users\favorites\Download Free Spyware Remover.url
Adware:adware/isearch Not disinfected c:\windows\delprot.log
Adware:adware/dealhelper Not disinfected c:\windows\dsearch1.bin
Adware:adware/ieplugin Not disinfected c:\windows\kwv2.dat
Adware:adware/sbsoft Not disinfected c:\windows\rdt.ini
Adware:adware/sidesearch Not disinfected c:\windows\sepsd.bin
Adware:adware program Not disinfected c:\windows\System32mscore.bin
Adware:adware/cws.searchmeup Not disinfected c:\windows\uniq
Potentially unwanted tool:application/winfixer2005 Not disinfected c:\program files\common files\WinSoftware
Adware:adware/delfinmedia Not disinfected c:\windows\system32\nfomon
Adware:adware/tvmedia Not disinfected c:\windows\bundles
Adware:adware/elitebar Not disinfected c:\windows\etb
Adware:adware/transponder Not disinfected c:\windows\inst
Adware:adware/savenow Not disinfected c:\documents and settings\all users\application data\vmss
Adware:adware/yazzle Not disinfected Windows Registry
Adware:adware/zenosearch Not disinfected Windows Registry
Hacktool:hacktool/rootkit.d Not disinfected hkey_local_machine\system\currentcontrolset\services\vdmt16
Adware:adware/statblaster Not disinfected Windows Registry
Spyware:spyware/cws.olehelp Not disinfected Windows Registry
Adware:adware/powerscan Not disinfected Windows Registry
Adware:adware/sqwire Not disinfected Windows Registry
Adware:adware/ist.yoursitebar Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:adware/mirar Not disinfected Windows Registry
Virus:W32/Sality.T Disinfected C:\DELL\ATAPI.EXE
Virus:W32/Sality.T Disinfected C:\DELL\drivers\R70564\NAV\UPSWPLUG.EXE
Virus:W32/Sality.T Disinfected C:\DELL\drivers\R70564\SETUP\SETUP\SYMSHARE\ANTISPAM\EUDOHELP.EXE
Virus:W32/Sality.T Disinfected C:\DELL\drivers\R70564\SUPPORT\SYMLNCH\SYMLNCH.EXE
Virus:W32/Sality.T Disinfected C:\DELL\drivers\R70564\VIRUSDEF\DEFINST.EXE
Virus:W32/Sality.T Disinfected C:\DELL\UWAKEOFF.EXE
Virus:W32/Sality.T Disinfected C:\DELL\UWAKEON.EXE
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator.D7BGW741\Cookies\administrator@2o7[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator.D7BGW741\Cookies\administrator@atwola[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator.D7BGW741\Cookies\administrator@microsofteup.112.2o7[1].txt
Virus:Trj/ChampMailer.A Disinfected C:\Documents and Settings\Administrator.D7BGW741\Local Settings\Temporary Internet Files\Content.IE5\GQ9JBCME\CAST2VC1.html
Virus:W32/Sality.T Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\HTML\item_templ\coach\RunGdp.exe
Virus:W32/Sality.T Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\CIP\DellSupportUtil.exe
Virus:W32/Sality.T Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\CIP\DellSupportUtil17.exe
Virus:W32/Sality.T Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\DellSommelierFix.exe
Virus:W32/Sality.T Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\item_templ\coach\RunGdp.exe
Virus:W32/Sality.T Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\HTML\fix\DellSupportLauncher.exe
Virus:W32/Sality.T Disinfected C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\HTML\item_templ\coach\RunGdp.exe
Spyware:Cookie/64.62.232 Not disinfected C:\Documents and Settings\ALLISON WADE\Cookies\allison wade@64.62.232[3].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\ALLISON WADE\Cookies\allison wade@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\ALLISON WADE\Cookies\allison wade@888[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\ALLISON WADE\Cookies\allison wade@adopt.hbmediapro[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\ALLISON WADE\Cookies\allison wade@adultfriendfinder[2].txt
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\ALLISON WADE\Cookies\allison wade@anm.co[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\ALLISON WADE\Cookies\allison wade@atwola[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\ALLISON WADE\Cookies\allison wade@azjmp[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\ALLISON WADE\Cookies\allison wade@belnk[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\ALLISON WADE\Cookies\allison wade@cassava[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\ALLISON WADE\Cookies\allison wade@ccbill[2].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\ALLISON WADE\Cookies\allison wade@did-it[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\ALLISON WADE\Cookies\allison wade@dist.belnk[1].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\ALLISON WADE\Cookies\allison wade@fe.lea.lycos[1].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\ALLISON WADE\Cookies\allison wade@fe.lea.lycos[3].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\ALLISON WADE\Cookies\allison wade@go[2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\ALLISON WADE\Cookies\allison wade@i.screensavers[2].txt
Spyware:Cookie/Media-motor Not disinfected C:\Documents and Settings\ALLISON WADE\Cookies\allison wade@mmm.media-motor[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\ALLISON WADE\Cookies\allison wade@offeroptimizer[2].txt
Spyware:Cookie/Outster Not disinfected C:\Documents and Settings\ALLISON WADE\Cookies\allison wade@outster[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\ALLISON WADE\Cookies\allison wade@realmedia[2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\ALLISON WADE\Cookies\allison wade@rn11[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\ALLISON WADE\Cookies\allison wade@searchportal.information[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\ALLISON WADE\Cookies\allison wade@target[2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\ALLISON WADE\Cookies\allison wade@toplist[1].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\ALLISON WADE\Cookies\allison wade@webpower[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\ALLISON WADE\Cookies\allison wade@xiti[1].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\ALLISON WADE\Cookies\allison wade@xmts[2].txt
Virus:W32/Sality.T Disinfected C:\Documents and Settings\ALLISON WADE\Local Settings\Temp\23035.exe
Virus:Trj/ChampMailer.A Disinfected C:\Documents and Settings\ALLISON WADE\Local Settings\Temp\A77A.tmp
Virus:W32/Sality.T Disinfected C:\Documents and Settings\ALLISON WADE\Local Settings\Temp\nsnA6E.tmp\pxhpinst.exe
Virus:W32/Sality.T Disinfected C:\Documents and Settings\ALLISON WADE\Local Settings\Temp\nsnA6E.tmp\pxsetup.exe
Virus:Trj/ChampMailer.A Disinfected C:\Documents and Settings\ALLISON WADE\Local Settings\Temporary Internet Files\Content.IE5\1COBDTOH\CA3ACRB9.html
Virus:Trj/Ruins.MB Disinfected C:\Documents and Settings\ALLISON WADE\Local Settings\Temporary Internet Files\Content.IE5\AWM9NL80\xxx[1].jpg
Virus:Trj/SrchSpy.J Disinfected C:\Documents and Settings\ALLISON WADE\Local Settings\Temporary Internet Files\Content.IE5\GXGROFOF\cnte_oiduuyes[1].gif
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\LEAH WADE\Cookies\leah wade@adopt.hbmediapro[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\LEAH WADE\Cookies\leah wade@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\LEAH WADE\Cookies\leah wade@dist.belnk[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\LEAH WADE\Cookies\leah wade@drivecleaner[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\LEAH WADE\Cookies\leah wade@stats.drivecleaner[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\LEAH WADE\Cookies\leah wade@www.drivecleaner[1].txt
Virus:W32/Sality.T Disinfected C:\Documents and Settings\STEPHEN WADE\Local Settings\Temporary Internet Files\Content.IE5\MUSLVUUQ\DellSupportUtil[1].exe
Virus:W32/Sality.T Disinfected C:\Documents and Settings\TED WADE\Application Data\Microsoft\Installer\{989273D7-54A6-4E33-84A8-9FCEC33169EA}\ARPPRODUCTICON.exe
Virus:W32/Sality.T Disinfected C:\Documents and Settings\TED WADE\Application Data\Microsoft\Installer\{989273D7-54A6-4E33-84A8-9FCEC33169EA}\CounterSpy.exe1_989273D754A64E3384A89FCEC33169EA.exe
Virus:W32/Sality.T






plus roughly a million more sality.T's


BITDEFENDER
BitDefender Online Scanner - Real Time Virus Report



Generated at: Wed, Aug 16, 2006 - 00:44:51


--------------------------------------------------------------------------------





Scan Info



Scanned Files
212133

Infected Files
1368








Virus Detected



Trojan.Downloader.Tsupdate.I
1

Trojan.Downloader.Dyfuca.DE
2

Trojan.Downloader.Flin.A
1

Dropped:Application.Adware.IEDriver.A
1

Trojan.Downloader.598
1

Trojan.StartPage.MF
3

Trojan.SecondThought.L
31

Dropped:Backdoor.Ruledor.E
2

Trojan.Maddle.B.DLL
14

Trojan.QHost.CU
2

Trojan.Downloader.Small.CMS
1

Trojan.Downloader.2094.A
1

Trojan.Dropper.Small.HT
1

Trojan.Downloader.Keenval.H
1

Trojan.Exploit.Mhtredir.AR
4

JS.Exploit.DialogArg.B
1

Trojan.Downloader.BPC
1

Trojan.Exploit.Html.MHT
5

Trojan.Downloader.Dyfuca.AC
2

Adware.Look2Me.B
25

Exploit.Html.Iframe.Bof.Gen
1

Trojan.Downloader.Siboco.A
1

Trojan.Propo.712704.A
1

Trojan.Downloader.Dyfuca.H
2

Trojan.Downloader.Agent.AM
1

Backdoor.BotGet.FtpB.Gen
1

Exploit.Html.MhtRedir.Gen
10

Trojan.Sandbox.A
26

Trojan.Downloader.Delf.GO
11

Trojan.Downloader.Turown.H
1

Application.Adware.BookedSpace.A
1

Trojan.Downloader.VB.Revop
3

Trojan.Dropper.Delf.Z
2

Trojan.Downloader.Small.GO
4

Trojan.Downloader.Istbar.KH
1

Trojan.Js.Seeker.Based.C
9

Trojan.Septic.A.dr
1

Adware.Statmedia.A
1

Trojan.Wren.B
2

Trojan.Downloader.Lookme.K
2

Trojan.ADS
1

Trojan.Downloader.Dyfuca.BX
2

Trojan.Lookme.C
1

Trojan.Downloader.Rameh.C
1

Application.IBIS.Toolbar
1

Trojan.Downloader.Small.EN
5

Trojan.BettInet.A
12

Win32.Mydoom.XT@mm
3

MemScan:Trojan.Downloader.Agent.ACH
4

Application.Adware.Promulgate
1

Trojan.Spy.Idly.C
2

Trojan.Downloader.Apropo.S
1

Adware.Promulgate
1

Trojan.Dropper.Agent.HL
1

Trojan.Spy.Agent.BN
1

Trojan.Delf.JZ
2

Trojan.Spy.Middadle.A
3

Trojan.Memwatchad.A
1

JS.Seeker.W
30

Trojan.Spy.Briss.H
1

Trojan.Whenu.A
1

Trojan.Downloader.Dyfuca.CJ
1

Trojan.Downloader.Agent.BR
1

Trojan.Imiserv.C
1

Trojan.Downloader.IstBar.IJ
1

Trojan.Bettinet.66560.A
2

Trojan.Bispy.A
1

Trojan.Downloader.Purityscan.U
4

Trojan.SecondThought.AG
2

Trojan.Sectho.A
3

Trojan.Downloader.KeenValue.C
1

Trojan.Aproposad.C
1

Trojan.Downloader.Agent.FW
1

Trojan.Downloader.Vb.FJ
1

Trojan.Downloader.Revop.C
1

Trojan.Downloader.Small.ID
9

Trojan.Downloader.Wintool.A
1

Trojan.Maddle.E
1

Trojan.Small.CY
3

Trojan.Downloader.Agent.AB
1

Backdoor.Genlot.AQ
4

Trojan.Virtumod.C
2

Trojan.Downloader.Agent.BT
2

Trojan.Adware.BuddyLinks.A
1

Trojan.Downloader.Ieser.A
2

Dropped:Trojan.Maddle.B.DLL
2

Win32.Sality.M
795

Adware.Searchbar.M
1

Trojan.Porad.A.DLL
1

Trojan.Downloader.Js.Small.D
1

Trojan.Dropper.Agent.AZ
1

Exploit.Phel.Gen
1

Trojan.Startpage.RN
1

Trojan.Downloader.Dyfuca.AK
2

Trojan.Downloader.1296.D
1

Trojan.Downloader.Lemmy.X
1

Trojan.Multidr.MH
2

Exploit.ADODB.Stream.Gen
15

Trojan.Delprot.A
2

Trojan.Downloader.Lalus.A
2

Trojan.Isbar.294
1

Trojan.Downloader.WinShow.AM
1

Trojan.Delf.CF
33

Trojan.Scapur.A
3

Trojan.SpamTool.Agent.M
88

Trojan.Downloader.Keenval.Q
1

Trojan.Downloader.Delf.CB
1

Trojan.Vb.OD
1

Trojan.Purityad.F
3

Trojan.Vb.KQ
2

Trojan.Downloader.Braidupdate.C
1

Trojan.Downloader.Agent.AE
3

Trojan.Dropper.Delf.Dam.2
4

Trojan.Dropper.Small.PV
1

Generic.Malware.dld!!g.0DB1D5E8
3

Trojan.Downloader.Small.ABD
1

Trojan.Downloader.Agent.BG
1

Trojan.Small.I
1

Trojan.SecondThought.G
3

Trojan.Ulone.A
1

Trojan.Agent.BP
1

Trojan.Downloader.Envolo.D
1

Trojan.Downloader.Small.KL
1

Trojan.Downloader.Dyfuca.DA
2

Trojan.Htmlhelpcontrol.Exploit.A
1

Trojan.Clicker.Delf.R
1

Adware.Look2me.AB
2

Trojan.Downloader.Agent.CZ
1

Trojan.FakeAlert.CR
1

Application.Adware.Promulgate.Dll
1

VBS.Trojan.Iframe.A
14

Trojan.Downloader.Lookme.D
1

Trojan.Downloader.Agent.HO
3

Trojan.Ulone.C
1

Trojan.Downloader.Agent.DK
3

Exploit.Win32.MS05-002.Gen
3

Trojan.Downloader.Dyfuca.BQ
4

Trojan.Dialer.GlobalAcces
2

Trojan.Downloader.Dyfuca.CR
2

Trojan.Downloader.Dyfuca.Dam.2
1

Exploit.ADODB.Stream2.Gen
1

Trojan.Downloader.HTML.Agent.B
1

Trojan.Downloader.Dyfuca.3
1

Trojan.Downloader.Dyfuca.DT
2

Trojan.Dropper.Purityscan.Q
7

BehavesLike:Win32.ExplorerHijack
2

Trojan.Secondthought.AI
3

Trojan.Downloader.Tsupdate.G
3

Trojan.Downloader.Dyfuca.DC
1

Trojan.Downloader.TSUpdate.F
2

Trojan.Downloader.Dyfuca.V
1

Trojan.Downloader.Tsupdate.H
1

Adware.Clicker.BH
1

Trojan.Downloader.QDown.M
1

Trojan.Downloader.Vb.BO
1

Trojan.Downloader.Abox.A
1

Trojan.Downloader.2669.B
1

Trojan.Kolweb.A
8







all of this had been done while in safe mode. unfortunetly, now i must venture into regular mode, in order to attempt to back up a few important files, in case i do have to wipe anything clean.

i'm sure there's a lot you can skip passed there. i'm ready to begin, though, and i appreciate any help i can get.


thanks

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:15 PM

Posted 17 August 2006 - 04:37 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:


Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log into this topic.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Tom Wade

Tom Wade
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 19 August 2006 - 02:36 AM

i don't know if it makes a difference, but bear in mind that both of these were done in safemode. god knows if there's other nasties active when i running normally.

Check for missing files
.....
C:\WINDOWS\system32\AUTOEXEC.NT not there
.....
End check for missing files
.....
VXD Check
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers]
"VDD"=hex(7):43,3a,5c,50,52,4f,47,52,41,7e,31,5c,53,79,6d,61,6e,74,65,63,5c,53,\
33,32,45,56,4e,54,31,2e,44,4c,4c,00,43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,\
6c,65,73,5c,41,6c,77,69,6c,20,53,6f,66,74,77,61,72,65,5c,41,76,61,73,74,34,\
5c,61,73,77,4d,6f,6e,56,64,2e,64,6c,6c,00,00
.....
End vxd check
.....
please post this at the forum



Logfile of HijackThis v1.99.1
Scan saved at 3:32:09 AM, on 8/19/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://hklm/
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: localhost 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [oinil.exe] C:\WINDOWS\System32\oinil.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1129012798000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...642/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{54073110-24A0-4593-A4A8-73ED5C793859}: NameServer = 85.255.116.29,85.255.112.134
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.29 85.255.112.134
O17 - HKLM\System\CS1\Services\Tcpip\..\{54073110-24A0-4593-A4A8-73ED5C793859}: NameServer = 85.255.116.29,85.255.112.134
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.29 85.255.112.134
O20 - Winlogon Notify: fslbpxhf - fslbpxhf.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: xoamefwa - xoamefwa.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



was the fixwareout supposed to take roughly 4 seconds to work? doesn't seem very uh...thorough?
awaiting further orders, sir.

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:15 PM

Posted 19 August 2006 - 03:51 PM

No it didn't run correctly since you are missing some files.

Go to this page.

http://www.tech-forums.net/computer/topic/29806.html

Scroll down just below halfway and select the fix for your operating system.
It will restore the missing file(s) that you need.


Then run Wareoutfix again.
You should get a much different log this time. :thumbsup:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:15 PM

Posted 03 September 2006 - 02:13 PM

Unfortunately there has been no response. So this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users