Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tried For 2 Days To Remove This


  • This topic is locked This topic is locked
18 replies to this topic

#1 bluedna

bluedna

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 22 August 2006 - 12:50 AM

Hi everyone,

sorry this is my first post here. I've read through all the posts and stickies. I usually manage to remove infections using the help provided here without having to post up logs or anything. But this time its different.

I've been trying for 2 days now, in safe mode with 5 different scans and it appears that what i have is very stubborn. It says it removes, and some items not until the next reboot, but when i do the scan, its there again. Ive tried the Brute force tool, Adware SE, EWIDO, s&d and Spyware doctor. Ive even removed some of the items manually with HJT. But now they seem to be on the system again.

I've followed all the scans suggested and so forth from: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/ and from other peoples cases but no luck as of yet.

I have the same problem as many other people, that is: Trojan.Downloader.Small.CML

Very sorry for wasting ur time.

But i really need help on this case.

Thanks

Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 3:46:58 PM, on 8/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\{08D08902-07DA-1033-1021-050310200001}\Update.exe
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\ismon.exe
C:\WINDOWS\system32\issearch.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [cd40fa1f.exe] C:\WINDOWS\system32\cd40fa1f.exe
O4 - HKLM\..\RunOnce: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /RM /FS /X
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [cd40fa1f.exe] C:\Documents and Settings\David Le\Local Settings\Application Data\cd40fa1f.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WinFast® Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Edited by bluedna, 22 August 2006 - 01:17 AM.


BC AdBot (Login to Remove)

 


#2 bluedna

bluedna
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 22 August 2006 - 01:13 AM

Ive also tried to follow another similar case but that thread was going around in circles.

www.bleepingcomputer.com/forums/lofiversion/index.php/t61573.html

Here is an image of my spyware doctor (similar to the top thread)

Posted Image

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:06 PM

Posted 22 August 2006 - 09:17 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:


I need to see a different type of log from Hijackthis
  • Run Hijackthis.
  • Click on "Open the Misc Tools section".
  • Next click on "Open uninstall manager".
  • Press the button 'save list'. It will open a Notepad file.
  • Place the content of that file here in your in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#4 bluedna

bluedna
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 22 August 2006 - 04:11 PM

Hi Sam,

Its nice to meet you.

Here are the steps i have taken:
- Open HJT v1.99.1
- Do a system scan only OR Do a system scan and save a logfile
- Other Stuff section -> Config...
- Misc Tools Tab
- Open Uninstaller Manager...
- Save list...

AND

- Open HJT v1.99.1
- Open the misc toolsection
- Open Uninstaller Manager...
- Save list...

Then nothing, HJT closes and does not appear to save a file anywhere.

So ive copied and pasted it out manually: :thumbsup:

Ad-Aware SE Personal
C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG

Adobe Acrobat 6.0 Professional
MsiExec.exe /I{AC76BA86-1033-0000-7760-000000000001}

Adobe Bridge 1.0
MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}

Adobe Common File Installer
MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}

Adobe Photoshop CS2
msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}

Alcohol 120%
MsiExec.exe /X{E9F81423-211E-46B6-9AE0-38568BC5CF6F}

Athlon 64 Processor Driver
RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9

BitComet 0.64
C:\Program Files\BitComet\uninst.exe

dBpowerAMP Music Converter
"C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Music Converter.dat

dBpowerAMP Ogg Vorbis Codec
"C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Ogg Vorbis Codec.dat

dBpowerAMP WMA V9 Codec
"C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP WMA V9 Codec.dat

dBpowerAMP WMA V9.1 Codec
"C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP WMA V9.1 Codec.dat

DivX
C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC

DivX Converter
C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER

DivX Player
C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER

DivX Web Player
C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN

eMule
"C:\Program Files\eMule\Uninstall.exe"

FLV Player 1.3.3
"C:\Program Files\FLVPlayer\uninstall.exe"

Google Toolbar for Firefox
MsiExec.exe /X{2CCBABCB-6427-4A55-B091-49864623C43F}

HijackThis 1.99.1
C:\Program Files\HijackThis\HijackThis.exe /uninstall

Hotfix for Windows XP (KB909394)
"C:\WINDOWS\$NtUninstallKB909394$\spuninst\spuninst.exe"

iPod for Windows 2006-06-28
C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BD57EA4D-026E-4F08-9B93-080E282B81FE} /l1033

iTunes
C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{54C0D94A-F467-4ABC-9D02-6E58748668D4} /l1033

J2SE Runtime Environment 5.0 Update 6
MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}

Lock Folder XP 3.5
"C:\Program Files\Everstrike Software\Lock Folder XP 3.5\Uninstall.exe" "C:\Program Files\Common Files\Everstrike Software\Lock Folder XP 3.5\install.log"

Macromedia Flash Player 8
C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe

Marvell Miniport Driver
MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}

Microsoft ActiveSync 4.0
MsiExec.exe /I{B208806F-A231-4FA0-AB3F-5C1B8979223E}

Microsoft Office Professional Edition 2003
MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}

Mozilla Firefox (1.5.0.6)
"C:\PROGRA~1\MOZILL~1\uninstall\uninstall.exe /ua "1.5.0.6 (en-US)"

MSN Color Changer 2.0
"C:\Program Files\MSN Color Changer\unins000.exe"

Nero 6 Ultra Edition
C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL

NeroVision Express 3
C:\WINDOWS\UNNeroVision.exe /UNINSTALL

New.net Domains 7.22
C:\WINDOWS\NDNUNI~2.EXE


NVIDIA nTune
C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF} /l1033

oggcodecs 0.71.0946
C:\Program Files\illiminable\oggcodecs\uninst.exe

Panda ActiveScan
C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan

QuickTime
C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033

Real Alternative 1.48
"C:\Program Files\Real Alternative\unins000.exe"

Realtek AC'97 Audio
RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE


RelevantKnowledge
c:\windows\system32\rlvknlg.exe -bootremove -uninst:RelevantKnowledge
??

River Past Audio Converter Pro
C:\WINDOWS\Audio Converter Pro Uninstaller.exe

Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)

Spyware Doctor 3.8
"C:\Program Files\Spyware Doctor\unins000.exe"

ToolBar888
C:\Program Files\ToolBar888\Uninst.exe


Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
VobSub v2.23 (Remove Only)
WC3Banlist
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB894476
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinFast® Display Driver
WinPcap 3.1
WinRAR archiver
Xerox Phaser 3130 PCL 6

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:06 PM

Posted 22 August 2006 - 06:58 PM

For some reason Hijackthis won't open up notepad on certain computers. But your list is perfect, and you've even hilighted the malicious programs. :thumbsup:

Please click Start -> Control Panel -> Add/Remove Programs and uninstall these programs:

New.net Domains 7.22
RelevantKnowledge
ToolBar888



Reboot afterwards and post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 bluedna

bluedna
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 24 August 2006 - 11:05 PM

Hi there again sam,

Sorry for the delayed response, here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 2:04:16 PM, on 8/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\system32\isnotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\cd40fa1f.exe
C:\Program Files\Common Files\{08D08902-07DA-1033-1021-050310200001}\Update.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\ismon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cd40fa1f.exe] C:\WINDOWS\system32\cd40fa1f.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [cd40fa1f.exe] C:\Documents and Settings\David Le\Local Settings\Application Data\cd40fa1f.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WinFast® Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Looks pretty clean except for this funny looking thing: cd40fa1f.exe ?

Edited by bluedna, 24 August 2006 - 11:06 PM.


#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:06 PM

Posted 25 August 2006 - 08:10 AM

Actually you still have several issues showing up there still.


Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


=======================


Please download SmitfraudFix (by S!Ri) to your Desktop.
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.


=======================


Please download Ewido Anti-spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware. Do not run a scan yet!


========================


Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 bluedna

bluedna
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 25 August 2006 - 02:54 PM

Hi Sam,

Combo Fix Log:

BlueDNA - 06-08-26 5:46:52.15
ComboFix 06.08.24 - Running from: C:\Documents and Settings\BlueDNA\Desktop

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\ismon.exe
C:\WINDOWS\system32\isnotify.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\system32\ixt0.dll
C:\WINDOWS\system32\ixt1.dll
C:\WINDOWS\system32\ixt2.dll
C:\Program Files\ToolBar888
C:\WINDOWS\system32\components
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\ismon.exe
C:\WINDOWS\system32\isnotify.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\system32\ixt2.dll
C:\Program Files\Common Files\{08D08902-07DA-1033-1021-050310200001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\BlueDNA\Application Data\STEM32~1
C:\QooBox\Purity\Documents and Settings\BlueDNA\My Documents\ICROSO~1
C:\QooBox\Purity\Program Files\CROSOF~1
C:\QooBox\Purity\Program Files\PPATCH~1
C:\QooBox\Purity\Program Files\PPPATC~1
C:\QooBox\Purity\Program Files\Common Files\ICROSO~1.NET
C:\QooBox\Purity\WINDOWS\system32\ICROSO~1
C:\QooBox\Purity\WINDOWS\system32\SMANTE~1


((((((((((((((((((((((((((((((( Files Created from 2006-07-26 to 2006-08-26 ))))))))))))))))))))))))))))))))))


2006-08-26 05:45 40,973 ---hs---- C:\WINDOWS\system32\cbxutrr.dll
2006-08-25 22:01 19,456 --a------ C:\WINDOWS\system32\ixt2.dll
2006-08-25 13:26 40,973 ---hs---- C:\WINDOWS\system32\efcawvu.dll
2006-08-25 12:20 8,820 --a------ C:\WINDOWS\system32\isnotify.exe
2006-08-23 06:41 40,973 ---hs---- C:\WINDOWS\system32\wvuurrq.dll
2006-08-22 15:26 30,720 --a------ C:\WINDOWS\system32\issearch.exe
2006-08-22 15:24 5,120 --a------ C:\WINDOWS\system32\ismon.exe
2006-08-22 15:24 40,973 ---hs---- C:\WINDOWS\system32\vtutsqn.dll
2006-08-22 15:24 36,368 --a------ C:\WINDOWS\system32\ishost.exe
2006-08-22 15:24 13,312 --a------ C:\WINDOWS\system32\cd40fa1f.exe
2006-08-22 06:28 13,844 --a------ C:\WINDOWS\system32\sxcxwrwy.exe
2006-08-21 21:32 183,296 --a-s---- C:\WINDOWS\NDNuninstall7_22.exe
2006-08-21 21:29 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2006-08-21 21:29 50,688 --a-s---- C:\WINDOWS\NDNuninstall6_38.exe
2006-08-21 16:28 126,976 --a------ C:\WINDOWS\system32\zip.exe
2006-08-21 16:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-08-21 16:13 42,496 --a------ C:\WINDOWS\system32\swreg.exe
2006-08-21 16:13 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-08-21 16:13 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-08-21 07:32 40,973 --------- C:\WINDOWS\system32\nnnkkkh.dll
2006-08-21 06:28 632,603 ---hs---- C:\WINDOWS\system32\qtstv.bak2
2006-08-20 18:28 716,687 ---hs---- C:\WINDOWS\system32\qtstv.bak1
2006-08-20 18:28 573,492 ---hs---- C:\WINDOWS\system32\vtstq.dll
2006-08-20 18:20 18,944 --a------ C:\WINDOWS\system32\winjks32.dll
2006-08-10 21:53 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2006-08-05 08:49 161,593 C:\WINDOWSAudio Converter Pro Uninstaller.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-26 05:48 -------- d-------- C:\Program Files\Common Files
2006-08-26 05:44 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-25 14:10 -------- d-------- C:\Program Files\Warcraft III
2006-08-25 14:04 -------- d-------- C:\Program Files\HijackThis
2006-08-22 19:24 -------- d-------- C:\Documents and Settings\BlueDNA\Application Data\Adobe
2006-08-22 16:37 -------- d-------- C:\Program Files\Ares
2006-08-22 14:18 -------- d-------- C:\Documents and Settings\BlueDNA\Application Data\Lavasoft
2006-08-22 14:17 -------- d-------- C:\Program Files\Lavasoft
2006-08-22 14:13 -------- d-------- C:\Program Files\WinRAR
2006-08-22 14:13 -------- d-------- C:\Program Files\Spyware Doctor
2006-08-22 14:13 -------- d-------- C:\Program Files\MSN Messenger
2006-08-22 14:13 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-08-22 14:13 -------- d-------- C:\Program Files\iTunes
2006-08-22 14:13 -------- d-------- C:\Program Files\Internet Explorer
2006-08-21 16:45 -------- d-------- C:\Program Files\ewido anti-malware
2006-08-21 08:15 -------- d-------- C:\Program Files\BitComet
2006-08-20 18:51 -------- d-------- C:\Program Files\Everstrike Software
2006-08-20 18:51 -------- d-------- C:\Program Files\Common Files\Everstrike Software
2006-08-20 18:47 -------- d-------- C:\Program Files\ądobe
2006-08-19 17:46 -------- d---s---- C:\Documents and Settings\BlueDNA\Application Data\Microsoft
2006-08-14 19:12 -------- d-------- C:\Program Files\eMule
2006-08-10 22:11 131072 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2006-08-10 21:57 -------- d-------- C:\Program Files\illiminable
2006-08-05 22:21 -------- d-------- C:\Documents and Settings\BlueDNA\Application Data\AdobeUM
2006-08-05 14:13 -------- d-------- C:\Program Files\Windows Media Player
2006-08-05 14:13 -------- d-------- C:\Program Files\WC3Banlist
2006-08-05 12:15 -------- d-------- C:\Documents and Settings\BlueDNA\Application Data\River Past G4
2006-08-05 08:49 161593 --a------ C:\WINDOWS\Audio Converter Pro Uninstaller.exe
2006-08-05 08:49 -------- d-------- C:\Program Files\River Past
2006-08-05 08:49 -------- d-------- C:\Program Files\Common Files\River Past
2006-08-01 18:32 -------- d-------- C:\Program Files\Common Files\Adobe
2006-08-01 18:32 -------- d-------- C:\Program Files\Adobe
2006-08-01 18:31 -------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-07-31 19:03 -------- d-------- C:\Documents and Settings\BlueDNA\Application Data\Apple Computer
2006-07-31 19:02 -------- d-------- C:\Program Files\QuickTime
2006-07-31 19:01 -------- d-------- C:\Program Files\iPod
2006-07-01 10:57 -------- d-------- C:\Documents and Settings\BlueDNA\Application Data\Sun
2006-07-01 10:56 -------- d-------- C:\Program Files\Java
2006-07-01 10:55 -------- d-------- C:\Program Files\Common Files\Java
2006-07-01 10:39 2829 --a------ C:\WINDOWS\War3Unin.pif
2006-07-01 10:39 139264 --a------ C:\WINDOWS\War3Unin.exe
2006-06-21 18:36 659270 ---hs---- C:\WINDOWS\system32\rtutv.bak1
2006-06-16 14:34 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-06-15 14:55 778240 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-06-15 14:55 778240 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-06-15 14:55 761856 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-06-15 14:55 620180 --a------ C:\WINDOWS\system32\DivX.dll
2006-06-14 10:49 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2006-06-12 12:22 520192 --a------ C:\WINDOWS\system32\DivXsm.exe
2006-05-19 23:26 2508 --a------ C:\Documents and Settings\BlueDNA\Application Data\$_hpcst$.hpc


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"LFAgent"=""
"cd40fa1f.exe"="C:\\WINDOWS\\system32\\cd40fa1f.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"cd40fa1f.exe"="C:\\Documents and Settings\\BlueDNA\\Local Settings\\Application Data\\cd40fa1f.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /RM /FS /X"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"=""

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"=""

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{5A3E97DD-2A08-48BC-8F43-C0DEABC90266}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnkkkh
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtstq


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\lf.job

Completion time: Sat 08/26/2006 5:48:31.56
ComboFix.txt

#9 bluedna

bluedna
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 25 August 2006 - 02:55 PM

Smitfraud Fix Log:

SmitFraudFix v2.81

Scan done at 5:54:59.64, Sat 08/26/2006
Run from C:\Documents and Settings\BlueDNA\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ishost.exe FOUND !
C:\WINDOWS\system32\ismon.exe FOUND !
C:\WINDOWS\system32\isnotify.exe FOUND !
C:\WINDOWS\system32\issearch.exe FOUND !
C:\WINDOWS\system32\ixt?.dll FOUND !
C:\WINDOWS\system32\ixt??.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\BlueDNA\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DAVIDL~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:06 PM

Posted 25 August 2006 - 09:37 PM

Please print out or copy these instructions/tutorial to Notepad as the internet will not be available to you at certain points of the removal process (while in Safe Mode). Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.


1. Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
2. Run Smitfraud
  • Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
  • Select option #2 - Clean by typing 2 and press Enter.
  • Wait for the tool to complete and disk cleanup to finish.
  • You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
  • The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.


    A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

    The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
3. Clean out your Temporary Internet files
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start -> Control Panel and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
4. Next Click Start -> Control Panel and then double-click Display.
  • Click on the Desktop tab, then click the Customize Desktop button.
  • Click on the Web tab.
  • Under Web Pages you may see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button.
  • Click Ok then Apply and Ok.
5. Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.


6. Lauch Ewido-Anti-spyware by double-clicking the icon on your desktop.
  • IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.

  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • Ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close Ewido.
7. Reboot back into Normal Windows Mode


8. Run SmitfraudFix.
  • Open the SmitfraudFix folder and double-click smitfraudfix.cmd
  • Select option #3 - Delete Trusted zone by typing 3 and press Enter
  • Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.


    Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
9.Please Post the following logs:
  • c:\rapport.txt
  • Ewido log
  • A new HijackThis log
You may need several replies to post the requested logs, otherwise they might get cut off.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 bluedna

bluedna
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 25 August 2006 - 10:06 PM

SmitFraudFix v2.81

Scan done at 12:44:29.32, Sat 08/26/2006
Run from C:\Documents and Settings\BlueDNA\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\ishost.exe Deleted
C:\WINDOWS\system32\ismon.exe Deleted
C:\WINDOWS\system32\isnotify.exe Deleted
C:\WINDOWS\system32\issearch.exe Deleted
C:\WINDOWS\system32\ixt?.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:01:35 PM, 8/26/2006
+ Report-Checksum: 8668A3D5

+ Scan result:

HKU\.DEFAULT\Software\New.net -> Adware.NewDotNet : Cleaned with backup
HKU\S-1-5-18\Software\New.net -> Adware.NewDotNet : Cleaned with backup
:mozilla.21:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.22:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.46:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.47:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.48:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.49:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.50:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.51:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.52:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.53:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.54:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.55:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.81:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.100:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.101:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.102:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.103:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.104:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.105:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.106:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.107:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.108:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.109:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.110:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.111:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.112:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.113:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
:mozilla.120:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.121:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.122:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.125:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.127:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup
:mozilla.141:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.142:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.143:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.154:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.167:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.168:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.170:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned with backup
:mozilla.171:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup
:mozilla.179:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.180:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.190:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.216:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.246:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.259:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.266:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.267:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.268:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.269:C:\Documents and Settings\BlueDNA\Application Data\Mozilla\Firefox\Profiles\wgw4qjpj.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\BlueDNA\Local Settings\Application Data\cd40fa1f.exe -> Downloader.Obfuscated.a : Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\system32\cbxutrr.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\efcawvu.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\nnnkkkh.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\sxcxwrwy.exe -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup
C:\WINDOWS\system32\vtutsqn.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\wvuurrq.dll -> Adware.Virtumonde : Cleaned with backup


::Report End

Edited by bluedna, 25 August 2006 - 10:07 PM.


#12 bluedna

bluedna
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 25 August 2006 - 10:08 PM

Logfile of HijackThis v1.99.1
Scan saved at 1:04:18 PM, on 8/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [cd40fa1f.exe] C:\Documents and Settings\BlueDNA\Local Settings\Application Data\cd40fa1f.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WinFast® Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:06 PM

Posted 26 August 2006 - 07:00 AM

Just a couple more and we should be done. :thumbsup:

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O4 - HKCU\..\Run: [cd40fa1f.exe] C:\Documents and Settings\BlueDNA\Local Settings\Application Data\cd40fa1f.exe


Delete these files, if present.

C:\Documents and Settings\BlueDNA\Local Settings\Application Data\cd40fa1f.exe
C:\WINDOWS\System32\cd40fa1f.exe



===========


Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.


Also post a new log from Combofix so I can confirm that you are clean after this.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 bluedna

bluedna
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 26 August 2006 - 05:18 PM

Wow, boy am i glad we got here. I think it looks and feels clean!! :thumbsup:


VundoFix V6.1.2

Checking Java version...

Java version is 1.5.0.6

Scan started at 8:09:16 AM 8/27/2006

Listing files found while scanning....

C:\WINDOWS\system32\nnnkkkh.dll
C:\WINDOWS\system32\vtstq.dll
C:\WINDOWS\system32\qtstv.ini
C:\WINDOWS\system32\qtstv.bak1
C:\WINDOWS\system32\qtstv.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\nnnkkkh.dll
C:\WINDOWS\system32\nnnkkkh.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\vtstq.dll
C:\WINDOWS\system32\vtstq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qtstv.ini
C:\WINDOWS\system32\qtstv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\qtstv.bak1
C:\WINDOWS\system32\qtstv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\qtstv.bak2
C:\WINDOWS\system32\qtstv.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.1.2

Checking Java version...

Java version is 1.5.0.6

Scan started at 8:12:47 AM 8/27/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...


Logfile of HijackThis v1.99.1
Scan saved at 8:16:16 AM, on 8/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36CE4120-02A5-40EF-B45E-16ED7257BC5D} - C:\WINDOWS\system32\vtutr.dll (file missing)
O2 - BHO: (no name) - {477BD537-0342-48E5-A0FA-F85285854F40} - C:\WINDOWS\system32\vtstq.dll (file missing)
O2 - BHO: (no name) - {5A3E97DD-2A08-48BC-8F43-C0DEABC90266} - C:\WINDOWS\system32\nnnkkkh.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WinFast® Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)



BlueDNA - 06-08-27 8:15:02.92
ComboFix 06.08.24 - Running from: C:\Documents and Settings\BlueDNA\Desktop

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\BlueDNA\Application Data\STEM32~1
C:\QooBox\Purity\Documents and Settings\BlueDNA\My Documents\ICROSO~1
C:\QooBox\Purity\Program Files\CROSOF~1
C:\QooBox\Purity\Program Files\PPATCH~1
C:\QooBox\Purity\Program Files\PPPATC~1
C:\QooBox\Purity\Program Files\Common Files\ICROSO~1.NET
C:\QooBox\Purity\WINDOWS\system32\ICROSO~1
C:\QooBox\Purity\WINDOWS\system32\SMANTE~1


((((((((((((((((((((((((((((((( Files Created from 2006-07-27 to 2006-08-27 ))))))))))))))))))))))))))))))))))


2006-08-21 21:29 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2006-08-21 16:28 126,976 --a------ C:\WINDOWS\system32\zip.exe
2006-08-20 18:20 18,944 --a------ C:\WINDOWS\system32\winjks32.dll
2006-08-10 21:53 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2006-08-05 08:49 161,593 C:\WINDOWSAudio Converter Pro Uninstaller.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-27 08:14 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-27 08:07 -------- d-------- C:\Program Files\HijackThis
2006-08-26 15:31 -------- d-------- C:\Program Files\Warcraft III
2006-08-26 13:06 -------- d-------- C:\Program Files\ewido anti-malware
2006-08-26 05:48 -------- d-------- C:\Program Files\Common Files
2006-08-22 19:24 -------- d-------- C:\Documents and Settings\BlueDNA\Application Data\Adobe
2006-08-22 16:37 -------- d-------- C:\Program Files\Ares
2006-08-22 14:18 -------- d-------- C:\Documents and Settings\BlueDNA\Application Data\Lavasoft
2006-08-22 14:17 -------- d-------- C:\Program Files\Lavasoft
2006-08-22 14:13 -------- d-------- C:\Program Files\WinRAR
2006-08-22 14:13 -------- d-------- C:\Program Files\Spyware Doctor
2006-08-22 14:13 -------- d-------- C:\Program Files\MSN Messenger
2006-08-22 14:13 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-08-22 14:13 -------- d-------- C:\Program Files\iTunes
2006-08-22 14:13 -------- d-------- C:\Program Files\Internet Explorer
2006-08-21 08:15 -------- d-------- C:\Program Files\BitComet
2006-08-20 18:51 -------- d-------- C:\Program Files\Everstrike Software
2006-08-20 18:51 -------- d-------- C:\Program Files\Common Files\Everstrike Software
2006-08-20 18:47 -------- d-------- C:\Program Files\ądobe
2006-08-19 17:46 -------- d---s---- C:\Documents and Settings\BlueDNA\Application Data\Microsoft
2006-08-14 19:12 -------- d-------- C:\Program Files\eMule
2006-08-10 22:11 131072 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2006-08-10 21:57 -------- d-------- C:\Program Files\illiminable
2006-08-05 22:21 -------- d-------- C:\Documents and Settings\BlueDNA\Application Data\AdobeUM
2006-08-05 14:13 -------- d-------- C:\Program Files\Windows Media Player
2006-08-05 14:13 -------- d-------- C:\Program Files\WC3Banlist
2006-08-05 12:15 -------- d-------- C:\Documents and Settings\BlueDNA\Application Data\River Past G4
2006-08-05 08:49 161593 --a------ C:\WINDOWS\Audio Converter Pro Uninstaller.exe
2006-08-05 08:49 -------- d-------- C:\Program Files\River Past
2006-08-05 08:49 -------- d-------- C:\Program Files\Common Files\River Past
2006-08-01 18:32 -------- d-------- C:\Program Files\Common Files\Adobe
2006-08-01 18:32 -------- d-------- C:\Program Files\Adobe
2006-08-01 18:31 -------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-07-31 19:03 -------- d-------- C:\Documents and Settings\BlueDNA\Application Data\Apple Computer
2006-07-31 19:02 -------- d-------- C:\Program Files\QuickTime
2006-07-31 19:01 -------- d-------- C:\Program Files\iPod
2006-07-01 10:57 -------- d-------- C:\Documents and Settings\BlueDNA\Application Data\Sun
2006-07-01 10:56 -------- d-------- C:\Program Files\Java
2006-07-01 10:55 -------- d-------- C:\Program Files\Common Files\Java
2006-07-01 10:39 2829 --a------ C:\WINDOWS\War3Unin.pif
2006-07-01 10:39 139264 --a------ C:\WINDOWS\War3Unin.exe
2006-06-21 18:36 659270 ---hs---- C:\WINDOWS\system32\rtutv.bak1
2006-06-16 14:34 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-06-15 14:55 778240 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-06-15 14:55 778240 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-06-15 14:55 761856 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-06-15 14:55 620180 --a------ C:\WINDOWS\system32\DivX.dll
2006-06-14 10:49 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2006-06-12 12:22 520192 --a------ C:\WINDOWS\system32\DivXsm.exe
2006-05-19 23:26 2508 --a------ C:\Documents and Settings\BlueDNA\Application Data\$_hpcst$.hpc


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"LFAgent"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"=""

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"=""

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{5A3E97DD-2A08-48BC-8F43-C0DEABC90266}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\lf.job

Completion time: Sun 08/27/2006 8:15:39.40
ComboFix.txt
ComboFix2.txt

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:06 PM

Posted 26 August 2006 - 08:17 PM

Just about there. :thumbsup:

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: (no name) - {36CE4120-02A5-40EF-B45E-16ED7257BC5D} - C:\WINDOWS\system32\vtutr.dll (file missing)
O2 - BHO: (no name) - {477BD537-0342-48E5-A0FA-F85285854F40} - C:\WINDOWS\system32\vtstq.dll (file missing)
O2 - BHO: (no name) - {5A3E97DD-2A08-48BC-8F43-C0DEABC90266} - C:\WINDOWS\system32\nnnkkkh.dll (file missing)




Download KillBox and unzip it to your desktop.

Open Killbox and select the Delete on reboot option.
Copy and paste the following file to the field labeled "Full path of file to delete"


C:\WINDOWS\system32\winjks32.dll


Press the Delete button (the button that looks like a red circle with a white X in it).
A first dialog box will ask if you want to delete the file on reboot, press the YES button.
A second dialog box will ask you if you want to REBOOT now. Press the YES button.

Your computer will reboot.


============


I notice that you don't have an antivirus program on your computer. AVG offers a very good antivirus and it's free.
Please download and install AVG antivirus. Follow the prompts to download and install all updates and then run a complete scan.


============


Reboot and post one last hijackthis log.
Let me know of any problems or issues that you are still having.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users