Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mutating Weirdness?


  • This topic is locked This topic is locked
19 replies to this topic

#1 latitudefilms

latitudefilms

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 25 August 2006 - 06:55 PM

Hi all,

I've been trying to fix this for over a month, but now I give up and beg for help!

It all started when I got hit with a bunch of viruses that came along when I okayed an active-X. Norton detected them, but didn't move fast enough (I guess) to avoid infection. :thumbsup:

Next thing I knew, IE was hijacked, and ZoaneAlarm was telling me a quko.dll was trying to access the net. I googled quko, and found only one site referring to it as a new breed of polymorph virus. And strangely no reference in any of the AV databases. Is it possible for a virus to control the results one sees from a search engine like google or yahoo?

And then basically Norton stopped working, I couldn't update adaware, Spybot or Systemmechanic (ZoneLabs) and when went and I did online scans I found I had been infected with:

Win32.Bagle.BO
Win32.Netsky.Y
Trojan.Clicker.VB
Trojan.Downloader.VB
Trojan.Downloader.small
Trojan.Patched
Trojan.silly
Hijacker.small
Generic.quest
Browser.new
Downloader.small

My browser was being hijacked, and even more annoyingly all the ICONS on my desktop go "fuzzy" once the mouse goes over them.

So I ran every online scanner I could, deleted files left and right, fooled around with the starup, the registry (no, I don't really know what I'm doing) and finally got things down to only being infected with Bagle and Netsky. What was strange was that the files the helpsites at symantec etc told me to delete: (%system%\winshost.exe) couldn't be found anywhere... but I finally found things like the self-replicating quko.dll and managed to zap them!

Then, after more reading around on this site and running bitdefender, adaware, spybot, system mechanic and crapcleaner, and deleting anything I didn't like the look of, I ended up without bagle and netsky, but now with two new threats:

generic.malware.SVWk!.6FFB6D2A
generic.malware.VWK!.848A7625

I searched google, but never found any info about these. Also, I suspect that the system was still infected because only BitDefender was able to scan my system -- Panda never ever succeeded and Housecall worked but never ever detected anything! And as for Norton, I've never managed to get it to work again...

So here I am, using Bitdefender 8 (free), BitDefender Online scanner, CC, zonealarm, etc and not allowing any downloads and all the security settings at highest level, and two new problems have suddenly replaced the old ones...

And even more worrying, sometimes I do all the scans (also in safe mode) and they come out "clean", but the computer is behaving oddly, and I'm still getting the fuzzy icons on the desktop. And then I re-run a scan two days later, (computer switched off during that time) and now I only have:

Trojan.downloader.small.AJC
Trojan.downloader.VB.QB

A month has now gone by, and I am going nuts! The online scanners keep finding stuff, but are unable to delete. I've reinstalled Zonealarm and Bitdefender, adaware and spybot and everytime I sort of get the upper hand, I get a new problem!

For the past week, the only thing that is getting detected is:

Generic.PWStealer.FO904EDD5

And I just can't find it and nothing can delete it -- it's hiding in an old outlook file, but seems to be jumping around...

And now, as of this morning, BitDefender doesn't find anything. (Panda still doesn't work, housecall freezes, and I've given up trying to get my copy of Norton to ever work again). BUT, I still have this weird sudden fuzzy look to my desktop icons when I put the pointer over them (hitting refresh gets it back to normal, and then it goes fuzzy again a while later, or if I approach any internet shortcut with the pointer).

So if anyone knows what is going on, and what I should be doing, I certainly would be very very grateful! I don't have any hair left to tear out!

Below is the hijackthis log.

Many many thanks,

Simon :flowers:



Logfile of HijackThis v1.99.1
Scan saved at 00:49:38, on 26/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\MSTMON_N.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\Wtablet\TabUserW.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe
c:\program files\softwin\bitdefender8\bdmcon.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {00EB98C4-0DEF-41AE-9484-8DC9CA30E27A} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {091FA11F-2DB1-48E2-BDB9-3E5845FA0FF2} - (no file)
O2 - BHO: (no name) - {0F0FA8BA-766E-41B0-A462-EA9E2E01647E} - (no file)
O2 - BHO: (no name) - {1EFDECB8-4688-425D-94DC-9C684E7ECDF7} - (no file)
O2 - BHO: (no name) - {446308F5-AF4A-4F81-AC23-3C6DAB4C9D94} - (no file)
O2 - BHO: (no name) - {49C915FE-CEBF-4B1E-8287-438E41942E9A} - (no file)
O2 - BHO: (no name) - {4BC5A5E1-BA26-E358-5F56-D4328F28F2DE} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {62E5D52E-C95E-4FC2-8291-72AB8576FBBC} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8BAB9F4E-230C-42B4-8226-8C3FBDFBB186} - (no file)
O2 - BHO: (no name) - {99FF0CFC-6569-4878-9970-A97949757DEF} - (no file)
O2 - BHO: (no name) - {9FECBE9A-9AC5-6DFA-5B2C-B9A80F0D05D9} - (no file)
O2 - BHO: (no name) - {A158EC92-762A-407B-AD9F-796AD3A3E274} - (no file)
O2 - BHO: (no name) - {A94EF49C-D643-4F3B-AD81-6654762DE53F} - (no file)
O2 - BHO: (no name) - {C668CA91-E5A5-3E57-21DC-639B7E5DCBE0} - (no file)
O2 - BHO: (no name) - {E08EC160-ECC7-9CE6-75D2-8DCC9AF7F89C} - (no file)
O2 - BHO: (no name) - {E1298640-BB84-4834-9F60-56571588354C} - (no file)
O2 - BHO: (no name) - {E2AC4971-6E67-4796-AB0F-E76F1D45AB96} - (no file)
O4 - HKLM\..\Run: [Video Process] MSlti64.exe
O4 - HKLM\..\Run: [Local Service] spoolsp.exe
O4 - HKLM\..\Run: [KONICA MINOLTA PagePro 1300WStatusDisplay] C:\WINDOWS\System32\MSTMON_N.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic 6\delay.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "c:\program files\softwin\bitdefender8\bdnagent.exe"
O4 - HKLM\..\RunServices: [Video Process] MSlti64.exe
O4 - HKLM\..\RunServices: [Local Service] spoolsp.exe
O4 - HKLM\..\RunServices: [Bin Personal Firewall] binetc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Local Service] spoolsp.exe
O4 - HKCU\..\RunServices: [Local Service] spoolsp.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\ADOBE\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\Wtablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://fr.encyclopedia.yahoo.com/rsc/tdserver.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6C6A77C7-B4CC-4792-BB9D-5B50A211F69E} (ProductInformation Control) - http://www.iolo.com/app/ocx/ProductInformation.ocx
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {70FBDD76-044D-40C4-95E0-E15791C24AA4} (GViewer.GuardianViewer) - http://www.guardiansoftware.com/GAudit.CAB
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotion...ctor/WebSWK.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: MacDrive-iTunes compatibility - C:\Program Files\Fichiers communs\Mediafour\MacDriveiTunesPatch.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:59 PM

Posted 26 August 2006 - 08:07 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:


Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log into this topic.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 latitudefilms

latitudefilms
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 26 August 2006 - 06:02 PM

Hi Sam,

Thanks for your speedy response.

Today, a little more weirdness -- ran the usual AV scans as I was getting up, and nothing was found. Then, I went onto the net to make a hotel reservation and my browser was suddenly totally hijacked, no more home page etc... had to close IE, restart etc. Reran virus scans -- according to them, everything is clean (and I still have the infuriating fuzzy icons on desktop!).

Anyway, here are the results of the scans you suggested:

FIXWARE


Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.



HIJACKTHIS

Logfile of HijackThis v1.99.1
Scan saved at 00:52:08, on 27/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\System32\MSTMON_N.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\program files\softwin\bitdefender8\bdnagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\Wtablet\TabUserW.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {00EB98C4-0DEF-41AE-9484-8DC9CA30E27A} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {091FA11F-2DB1-48E2-BDB9-3E5845FA0FF2} - (no file)
O2 - BHO: (no name) - {0F0FA8BA-766E-41B0-A462-EA9E2E01647E} - (no file)
O2 - BHO: (no name) - {1EFDECB8-4688-425D-94DC-9C684E7ECDF7} - (no file)
O2 - BHO: (no name) - {446308F5-AF4A-4F81-AC23-3C6DAB4C9D94} - (no file)
O2 - BHO: (no name) - {49C915FE-CEBF-4B1E-8287-438E41942E9A} - (no file)
O2 - BHO: (no name) - {4BC5A5E1-BA26-E358-5F56-D4328F28F2DE} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {62E5D52E-C95E-4FC2-8291-72AB8576FBBC} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8BAB9F4E-230C-42B4-8226-8C3FBDFBB186} - (no file)
O2 - BHO: (no name) - {99FF0CFC-6569-4878-9970-A97949757DEF} - (no file)
O2 - BHO: (no name) - {9FECBE9A-9AC5-6DFA-5B2C-B9A80F0D05D9} - (no file)
O2 - BHO: (no name) - {A158EC92-762A-407B-AD9F-796AD3A3E274} - (no file)
O2 - BHO: (no name) - {A94EF49C-D643-4F3B-AD81-6654762DE53F} - (no file)
O2 - BHO: (no name) - {C668CA91-E5A5-3E57-21DC-639B7E5DCBE0} - (no file)
O2 - BHO: (no name) - {E08EC160-ECC7-9CE6-75D2-8DCC9AF7F89C} - (no file)
O2 - BHO: (no name) - {E1298640-BB84-4834-9F60-56571588354C} - (no file)
O2 - BHO: (no name) - {E2AC4971-6E67-4796-AB0F-E76F1D45AB96} - (no file)
O4 - HKLM\..\Run: [Video Process] MSlti64.exe
O4 - HKLM\..\Run: [Local Service] spoolsp.exe
O4 - HKLM\..\Run: [KONICA MINOLTA PagePro 1300WStatusDisplay] C:\WINDOWS\System32\MSTMON_N.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic 6\delay.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\RunServices: [Video Process] MSlti64.exe
O4 - HKLM\..\RunServices: [Local Service] spoolsp.exe
O4 - HKLM\..\RunServices: [Bin Personal Firewall] binetc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Local Service] spoolsp.exe
O4 - HKCU\..\RunServices: [Local Service] spoolsp.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\ADOBE\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\Wtablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://fr.encyclopedia.yahoo.com/rsc/tdserver.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6C6A77C7-B4CC-4792-BB9D-5B50A211F69E} (ProductInformation Control) - http://www.iolo.com/app/ocx/ProductInformation.ocx
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {70FBDD76-044D-40C4-95E0-E15791C24AA4} (GViewer.GuardianViewer) - http://www.guardiansoftware.com/GAudit.CAB
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotion...ctor/WebSWK.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: MacDrive-iTunes compatibility - C:\Program Files\Fichiers communs\Mediafour\MacDriveiTunesPatch.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:59 PM

Posted 26 August 2006 - 08:28 PM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {00EB98C4-0DEF-41AE-9484-8DC9CA30E27A} - (no file)
O2 - BHO: (no name) - {091FA11F-2DB1-48E2-BDB9-3E5845FA0FF2} - (no file)
O2 - BHO: (no name) - {0F0FA8BA-766E-41B0-A462-EA9E2E01647E} - (no file)
O2 - BHO: (no name) - {1EFDECB8-4688-425D-94DC-9C684E7ECDF7} - (no file)
O2 - BHO: (no name) - {446308F5-AF4A-4F81-AC23-3C6DAB4C9D94} - (no file)
O2 - BHO: (no name) - {49C915FE-CEBF-4B1E-8287-438E41942E9A} - (no file)
O2 - BHO: (no name) - {4BC5A5E1-BA26-E358-5F56-D4328F28F2DE} - (no file)
O2 - BHO: (no name) - {62E5D52E-C95E-4FC2-8291-72AB8576FBBC} - (no file)
O2 - BHO: (no name) - {8BAB9F4E-230C-42B4-8226-8C3FBDFBB186} - (no file)
O2 - BHO: (no name) - {99FF0CFC-6569-4878-9970-A97949757DEF} - (no file)
O2 - BHO: (no name) - {9FECBE9A-9AC5-6DFA-5B2C-B9A80F0D05D9} - (no file)
O2 - BHO: (no name) - {A158EC92-762A-407B-AD9F-796AD3A3E274} - (no file)
O2 - BHO: (no name) - {A94EF49C-D643-4F3B-AD81-6654762DE53F} - (no file)
O2 - BHO: (no name) - {C668CA91-E5A5-3E57-21DC-639B7E5DCBE0} - (no file)
O2 - BHO: (no name) - {E08EC160-ECC7-9CE6-75D2-8DCC9AF7F89C} - (no file)
O2 - BHO: (no name) - {E1298640-BB84-4834-9F60-56571588354C} - (no file)
O2 - BHO: (no name) - {E2AC4971-6E67-4796-AB0F-E76F1D45AB96} - (no file)
O4 - HKLM\..\Run: [Video Process] MSlti64.exe
O4 - HKLM\..\Run: [Local Service] spoolsp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Video Process] MSlti64.exe
O4 - HKLM\..\RunServices: [Local Service] spoolsp.exe
O4 - HKLM\..\RunServices: [Bin Personal Firewall] binetc.exe
O4 - HKCU\..\Run: [Local Service] spoolsp.exe
O4 - HKCU\..\RunServices: [Local Service] spoolsp.exe



===========



Please download Ewido Anti-spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run Ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close Ewido anti-spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
  • Clean out your Temporary Internet files
    • Quit Internet Explorer and quit any instances of Windows Explorer.
    • Click Start -> Control Panel and then double-click Internet Options.
    • On the General tab, click Delete Files under Temporary Internet Files.
    • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
    • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
    • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
    • Click OK.
    IMPORTANT: Close all windows and do not open any other windows or programs while Ewido is scanning, it may interfere with the scanning proccess:

  • Lauch Ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • Ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close Ewido and reboot your system back into Normal Mode and post the results of the Ewido scan report along with a new Hijackthis log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 latitudefilms

latitudefilms
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 28 August 2006 - 09:31 AM

Hi Sam,

Followed your instructions, but had trouble getting an Ewido report. I ran it in safemode as you said, but when I click on the reports tab nothing is there (yes, I did click the "automatically generate a report" box!)

There was a bunch of stuff, but I didn't pay much attention as I thought I'd have the report... :thumbsup: (I unistalled it, reinstalled it and rescanned -- only showed up cookies this time, and still no way of saving the report!):flowers:

Anyway, here is the new hijackthis log after deleting the files and running ewido.

Logfile of HijackThis v1.99.1
Scan saved at 16:06:47, on 28/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\MSTMON_N.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\Wtablet\TabUserW.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {E2AC4971-6E67-4796-AB0F-E76F1D45AB96} - (no file)
O4 - HKLM\..\Run: [KONICA MINOLTA PagePro 1300WStatusDisplay] C:\WINDOWS\System32\MSTMON_N.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic 6\delay.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\ADOBE\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\Wtablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://fr.encyclopedia.yahoo.com/rsc/tdserver.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6C6A77C7-B4CC-4792-BB9D-5B50A211F69E} (ProductInformation Control) - http://www.iolo.com/app/ocx/ProductInformation.ocx
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {70FBDD76-044D-40C4-95E0-E15791C24AA4} (GViewer.GuardianViewer) - http://www.guardiansoftware.com/GAudit.CAB
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotion...ctor/WebSWK.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: MacDrive-iTunes compatibility - C:\Program Files\Fichiers communs\Mediafour\MacDriveiTunesPatch.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

I was reading some other posts, and I think I got infected at myspace also, about a month ago when I accepted an activeX... Why do you think my desktop icons go fuzzy when I click on them? (this doesn't happen when I log on as a guest).

Thanks so much,

Simon

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:59 PM

Posted 28 August 2006 - 07:23 PM

Fix this line with Hijackthis.

O2 - BHO: (no name) - {E2AC4971-6E67-4796-AB0F-E76F1D45AB96} - (no file)


Otherwise your log looks pretty good. :thumbsup:

Let's check and make sure Ewido removed everything it should have though.

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.



Are your desktop icons larger than they were before, or just fuzzy?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 latitudefilms

latitudefilms
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 29 August 2006 - 02:31 AM

Hi Sam :thumbsup:

I deleted the entry, and ran combofix. Here is the report:

Standard - 06-08-29 9:07:06.71
ComboFix 06.08.27BT - Running from: C:\Documents and Settings\Standard\Bureau

((((((((((((((((((((((((((((((( Files Created from 2006-07-29 to 2006-08-29 ))))))))))))))))))))))))))))))))))


2006-08-28 18:10 86,016 --a------ C:\WINDOWS\unvise32.exe
2006-08-28 17:10 76 --a------ C:\WINDOWS\contact@simonbrook.com
2006-08-28 16:55 90,112 --------- C:\WINDOWS\SDUnInst.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-29 08:15 -------- d-------- C:\Program Files\HijackThis
2006-08-28 18:14 -------- d-------- C:\Documents and Settings\Standard\Application Data\Active Disk
2006-08-28 18:10 -------- d-------- C:\Program Files\Iomega
2006-08-28 17:11 -------- d-------- C:\Program Files\Axon Data
2006-08-28 16:51 -------- d-------- C:\Program Files\Clock
2006-08-28 13:51 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-14 23:54 -------- d-------- C:\Program Files\Internet Explorer
2006-07-27 15:26 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-21 10:27 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll
2006-07-16 08:43 -------- d-------- C:\Program Files\netmeeting
2006-07-16 08:08 -------- d-------- C:\Program Files\WinZip
2006-07-11 23:46 -------- d-------- C:\Program Files\Trend Micro
2006-07-11 19:16 -------- d-------- C:\Program Files\Symantec
2006-07-11 19:16 -------- d-------- C:\Program Files\Fichiers communs\Symantec Shared
2006-07-11 19:15 -------- dr------- C:\Program Files\Fichiers communs
2006-07-11 19:08 -------- d-------- C:\Program Files\Norton AntiVirus
2006-07-05 05:36 -------- dr------- C:\Program Files\Outlook Express
2006-07-05 05:27 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-07-05 05:27 -------- d-------- C:\Program Files\Uninstall Information
2006-07-04 11:19 -------- d-------- C:\Program Files\Fichiers communs\Softwin
2006-07-04 11:18 -------- d-------- C:\Program Files\Softwin
2006-07-04 09:55 -------- d-------- C:\Program Files\Lavasoft
2006-07-04 09:55 -------- d-------- C:\Documents and Settings\Standard\Application Data\Lavasoft
2006-07-04 09:54 -------- d-------- C:\Program Files\CCleaner
2006-07-03 11:57 -------- d-------- C:\Documents and Settings\Standard\Application Data\Blackberry Desktop
2006-07-02 15:54 -------- d-------- C:\Documents and Settings\Standard\Application Data\Research In Motion
2006-07-02 15:43 -------- d-------- C:\Program Files\Fichiers communs\Research In Motion
2006-07-02 15:42 -------- d-------- C:\Program Files\Research In Motion


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KONICA MINOLTA PagePro 1300WStatusDisplay"="C:\\WINDOWS\\System32\\MSTMON_N.EXE"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"ioloDelayModule"="C:\\Program Files\\iolo\\System Mechanic 6\\delay.exe"
"BDMCon"="\"C:\\Program Files\\Softwin\\BitDefender8\\bdmcon.exe\""
"BDNewsAgent"="\"c:\\program files\\softwin\\bitdefender8\\bdnagent.exe\""
"ADUserMon"="C:\\Program Files\\Iomega\\AutoDisk\\ADUserMon.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"Deskup"="C:\\Program Files\\Iomega\\DriveIcons\\deskup.exe /IMGSTART"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices-]
"ScriptBlocking"="\"C:\\Program Files\\Fichiers communs\\Symantec Shared\\Script Blocking\\SBServ.exe\" -reg"
"CSINJECT.EXE"="c:\\Program Files\\Norton SystemWorks\\Norton CleanSweep\\CSINJECT.EXE"
"NPROTECT"="c:\\Program Files\\Norton SystemWorks\\Norton Utilities\\NPROTECT.EXE"
"SymTray - Norton SystemWorks"="c:\\Program Files\\Fichiers communs\\Symantec Shared\\SymTray.exe \"Norton SystemWorks\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\InstallShield Installation Information\\sarokuja.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Uninstall Information\\qupe.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="C:\\Program Files\\DirectX\\sarokuja.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ec,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\3]
"Source"="C:\\Program Files\\Windows Media Player\\qupe.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ee,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\4]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Ma page d'accueil"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,de,03,00,00,f0,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,b9,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Windows Compliant"="glytnu.exe"
"Local Service"="spoolsp.exe"
"Bin Personal Firewall"="binetc.exe"
"HLL Data Parameter"="hllcxpa.exe"
"Microsoft Update Debugger"="wincfg32.exe"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"Printing Migration"="rundll32.exe C:\\WINDOWS\\System32\\spool\\migrate.dll,ProcessWin9xNetworkPrinters"
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Local Service"="spoolsp.exe"
"HLL Data Parameter"="hllcxpa.exe"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Windows Compliant"="glytnu.exe"
"Local Service"="spoolsp.exe"
"Bin Personal Firewall"="binetc.exe"
"HLL Data Parameter"="hllcxpa.exe"
"Microsoft Update Debugger"="wincfg32.exe"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"Printing Migration"="rundll32.exe C:\\WINDOWS\\System32\\spool\\migrate.dll,ProcessWin9xNetworkPrinters"
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Local Service"="spoolsp.exe"
"HLL Data Parameter"="hllcxpa.exe"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"NPROTECT"="c:\\Program Files\\Norton SystemWorks\\Norton Utilities\\NPROTECT.EXE"
"KONICA MINOLTA PagePro 1300WStatusDisplay"="C:\\WINDOWS\\SYSTEM32\\MSTMON_N.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\disabledrunkeys]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"AtiPTA"="Atiptaxx.exe"
"TkBellExe"="\"C:\\Program Files\\Fichiers communs\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM32\\qttask.exe\" -atboottime"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM32\\STIMON.EXE"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MacDrive-iTunes compatibility


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\D‚marrage du programme de r‚glages.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-08-29 9:08:14.75
ComboFix.txt

Regarding the fuzzy icons, this was the very fist visible symptom I had of being infected.
They are exactly the same size as before, and they go "fuzzy" when I run the cursor over them. They then remain "fuzzy" until I refresh the desktop twice. Interestingly, this doesn't happen with all the shortcut icons, but I can't find any logic to the behaviour. Also, if I refresh twice and launch IE from the speedbar, the desktop icon doesn't go fuzzy if IE opens in a small window, but it does if it opens full size! :flowers:

Thanks again,

Simon

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:59 PM

Posted 29 August 2006 - 04:35 PM

Now I see the problem. :thumbsup:


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\Program Files\Windows Media Player\qupe.html
    C:\Program Files\DirectX\sarokuja.html
    C:\Program Files\Uninstall Information\qupe.html
    C:\Program Files\InstallShield Installation Information\sarokuja.html



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
============


Now let's fix your desktop.
  • Click Start -> Control Panel -> Display
  • Go to the Desktop tab and click on the Customize Desktop button.
  • Go to the Web tab
  • Uncheck anything found there and then click the Delete button.
Please post a new log from Combofix.
How are your icons now?

Edited by Buckeye_Sam, 29 August 2006 - 04:35 PM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 latitudefilms

latitudefilms
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 29 August 2006 - 06:33 PM

Hi Sam,

I'm so glad youcan see my problem because I'm so bleeping Lost that I deserve an Emmy!

I've dowloaded killbox and started to follow your instructions, but don't undertand what you mean when you say

"Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\Windows Media Player\qupe.html
C:\Program Files\DirectX\sarokuja.html
C:\Program Files\Uninstall Information\qupe.html
C:\Program Files\InstallShield Installation Information\sarokuja.html


Where / how do I do this? I looked in killbox and couldn't find them -- is it in explorer?

Thanks

Simon

#10 latitudefilms

latitudefilms
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 30 August 2006 - 01:01 AM

Sorry, I'm not being clear.

When I right-click and copy to clipboard, or when I press CTRL+C I end up with the files on the clipboard. But when I try and paste them into killbox, I only get the first line. And when I use the "file", "paste from clipboard" function, nothing comes up.

I've tried manually searching for these files using the "add file" command, but they are nowhere to be found!

I've downloaded pocket Killbox version 2.0.0.648

A bit perplexed. Should I just do them one at a time?

Thanks,

Simon

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:59 PM

Posted 30 August 2006 - 04:02 PM

That is possible if those files have already been deleted by another process. Let's try it another way.

Select "Standard File Kill"
One at a time, paste them into Full Path of File to Delete and click the Delete button.

Killbox will then tell you if the files exist or not.


Then post a new log from Combofix.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 latitudefilms

latitudefilms
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 31 August 2006 - 02:14 AM

Hi Sam,

I tried to dele them all manually, and sure enough they couldn't be found.

I went into control panel, and fixed the desktop -- all the files you mentioned were there -- I unchecked them and now there's no more funny fuzzy stuff! :thumbsup:

However, the computer was acting sluggish again, so I ran ewido in safe mode. It found I had hijacker.agent.A No idea where that came from, as I've been super careful, but I think ewido quarantined it (although it says in the report that no action was taken.. :flowers:


---------------------------------------------------------
ewido anti-spyware - Scan Report---------------------------------------------------------

+ Created at: 23:56:50 30/08/2006

+ Scan result:



C:\Documents and Settings\Standard\Local Settings\Temporary Internet Files\Content.IE5\6AHD5AIA\popup[1].htm -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Standard\Local Settings\Temporary Internet Files\Content.IE5\XDE6DBUM\popup[1].htm -> Hijacker.Agent.a : No action taken.
C:\Documents and Settings\Standard\Cookies\standard@opodo.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Standard\Cookies\standard@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Standard\Cookies\standard@adbrite[2].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Standard\Cookies\standard@adtech[2].txt -> TrackingCookie.Adtech : No action taken.
C:\Documents and Settings\Standard\Cookies\standard@advertising[1].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\Standard\Cookies\standard@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Standard\Cookies\standard@bluestreak[2].txt -> TrackingCookie.Bluestreak : No action taken.
C:\Documents and Settings\Invité\Cookies\invité@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : No action taken.
C:\Documents and Settings\Standard\Cookies\standard@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : No action taken.
C:\Documents and Settings\Invité\Cookies\invité@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Standard\Cookies\standard@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Standard\Cookies\standard@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\Standard\Cookies\standard@as1.falkag[2].txt -> TrackingCookie.Falkag : No action taken.
C:\Documents and Settings\Standard\Cookies\standard@hypertracker[1].txt -> TrackingCookie.Hypertracker : No action taken.
C:\Documents and Settings\Standard\Cookies\standard@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : No action taken.
C:\Documents and Settings\Standard\Cookies\standard@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Invité\Cookies\invité@edge.ru4[2].txt -> TrackingCookie.Ru4 : No action taken.
C:\Documents and Settings\Standard\Cookies\standard@www.smartadserver[1].txt -> TrackingCookie.Smartadserver : No action taken.
C:\Documents and Settings\Standard\Cookies\standard@statcounter[1].txt -> TrackingCookie.Statcounter : No action taken.
C:\Documents and Settings\Standard\Cookies\standard@targetnet[1].txt -> TrackingCookie.Targetnet : No action taken.
C:\Documents and Settings\Standard\Cookies\standard@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : No action taken.
C:\Documents and Settings\Standard\Cookies\standard@trafic[1].txt -> TrackingCookie.Trafic : No action taken.
C:\Documents and Settings\Standard\Cookies\standard@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Standard\Cookies\standard@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : No action taken.
C:\Documents and Settings\Standard\Cookies\standard@yadro[1].txt -> TrackingCookie.Yadro : No action taken.
C:\Documents and Settings\Standard\Cookies\standard@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.

Here is the new combofix log:


Standard - 06-08-31 9:01:34.71
ComboFix 06.08.27BT - Running from: C:\Documents and Settings\Standard\Bureau

((((((((((((((((((((((((((((((( Files Created from 2006-07-31 to 2006-08-31 ))))))))))))))))))))))))))))))))))


2006-08-28 18:10 86,016 --a------ C:\WINDOWS\unvise32.exe
2006-08-28 17:10 76 --a------ C:\WINDOWS\contact@simonbrook.com
2006-08-28 16:55 90,112 --------- C:\WINDOWS\SDUnInst.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-31 00:03 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-29 08:15 -------- d-------- C:\Program Files\HijackThis
2006-08-28 18:14 -------- d-------- C:\Documents and Settings\Standard\Application Data\Active Disk
2006-08-28 18:10 -------- d-------- C:\Program Files\Iomega
2006-08-28 17:11 -------- d-------- C:\Program Files\Axon Data
2006-08-28 16:51 -------- d-------- C:\Program Files\Clock
2006-08-14 23:54 -------- d-------- C:\Program Files\Internet Explorer
2006-07-27 15:26 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-21 10:27 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll
2006-07-16 08:43 -------- d-------- C:\Program Files\netmeeting
2006-07-16 08:08 -------- d-------- C:\Program Files\WinZip
2006-07-11 23:46 -------- d-------- C:\Program Files\Trend Micro
2006-07-11 19:16 -------- d-------- C:\Program Files\Symantec
2006-07-11 19:16 -------- d-------- C:\Program Files\Fichiers communs\Symantec Shared
2006-07-11 19:15 -------- dr------- C:\Program Files\Fichiers communs
2006-07-11 19:08 -------- d-------- C:\Program Files\Norton AntiVirus
2006-07-05 05:36 -------- dr------- C:\Program Files\Outlook Express
2006-07-05 05:27 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-07-05 05:27 -------- d-------- C:\Program Files\Uninstall Information
2006-07-04 11:19 -------- d-------- C:\Program Files\Fichiers communs\Softwin
2006-07-04 11:18 -------- d-------- C:\Program Files\Softwin
2006-07-04 09:55 -------- d-------- C:\Program Files\Lavasoft
2006-07-04 09:55 -------- d-------- C:\Documents and Settings\Standard\Application Data\Lavasoft
2006-07-04 09:54 -------- d-------- C:\Program Files\CCleaner
2006-07-03 11:57 -------- d-------- C:\Documents and Settings\Standard\Application Data\Blackberry Desktop
2006-07-02 15:54 -------- d-------- C:\Documents and Settings\Standard\Application Data\Research In Motion
2006-07-02 15:43 -------- d-------- C:\Program Files\Fichiers communs\Research In Motion
2006-07-02 15:42 -------- d-------- C:\Program Files\Research In Motion


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KONICA MINOLTA PagePro 1300WStatusDisplay"="C:\\WINDOWS\\System32\\MSTMON_N.EXE"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"ioloDelayModule"="C:\\Program Files\\iolo\\System Mechanic 6\\delay.exe"
"BDMCon"="\"C:\\Program Files\\Softwin\\BitDefender8\\bdmcon.exe\""
"BDNewsAgent"="\"c:\\program files\\softwin\\bitdefender8\\bdnagent.exe\""
"ADUserMon"="C:\\Program Files\\Iomega\\AutoDisk\\ADUserMon.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"Deskup"="C:\\Program Files\\Iomega\\DriveIcons\\deskup.exe /IMGSTART"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices-]
"ScriptBlocking"="\"C:\\Program Files\\Fichiers communs\\Symantec Shared\\Script Blocking\\SBServ.exe\" -reg"
"CSINJECT.EXE"="c:\\Program Files\\Norton SystemWorks\\Norton CleanSweep\\CSINJECT.EXE"
"NPROTECT"="c:\\Program Files\\Norton SystemWorks\\Norton Utilities\\NPROTECT.EXE"
"SymTray - Norton SystemWorks"="c:\\Program Files\\Fichiers communs\\Symantec Shared\\SymTray.exe \"Norton SystemWorks\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\InstallShield Installation Information\\sarokuja.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00000000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Uninstall Information\\qupe.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00000000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="C:\\Program Files\\DirectX\\sarokuja.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00000000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ec,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\3]
"Source"="C:\\Program Files\\Windows Media Player\\qupe.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00000000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ee,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\4]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Ma page d'accueil"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,de,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,80,02,00,00,00,00,00,00,80,02,00,00,de,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,80,02,00,00,00,00,00,00,80,02,00,00,de,03,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Windows Compliant"="glytnu.exe"
"Local Service"="spoolsp.exe"
"Bin Personal Firewall"="binetc.exe"
"HLL Data Parameter"="hllcxpa.exe"
"Microsoft Update Debugger"="wincfg32.exe"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"Printing Migration"="rundll32.exe C:\\WINDOWS\\System32\\spool\\migrate.dll,ProcessWin9xNetworkPrinters"
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Local Service"="spoolsp.exe"
"HLL Data Parameter"="hllcxpa.exe"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Windows Compliant"="glytnu.exe"
"Local Service"="spoolsp.exe"
"Bin Personal Firewall"="binetc.exe"
"HLL Data Parameter"="hllcxpa.exe"
"Microsoft Update Debugger"="wincfg32.exe"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"Printing Migration"="rundll32.exe C:\\WINDOWS\\System32\\spool\\migrate.dll,ProcessWin9xNetworkPrinters"
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Local Service"="spoolsp.exe"
"HLL Data Parameter"="hllcxpa.exe"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"NPROTECT"="c:\\Program Files\\Norton SystemWorks\\Norton Utilities\\NPROTECT.EXE"
"KONICA MINOLTA PagePro 1300WStatusDisplay"="C:\\WINDOWS\\SYSTEM32\\MSTMON_N.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\disabledrunkeys]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"AtiPTA"="Atiptaxx.exe"
"TkBellExe"="\"C:\\Program Files\\Fichiers communs\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM32\\qttask.exe\" -atboottime"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM32\\STIMON.EXE"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MacDrive-iTunes compatibility


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\D‚marrage du programme de r‚glages.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-08-31 9:02:37.17
ComboFix.txt
ComboFix2.txt

How does it look?

Thanks,

Simon

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:59 PM

Posted 31 August 2006 - 09:28 AM

Ewido found what was in your temporary internet files. Which means that Internet Explorer has visited a site that served a popup that Ewido doesn't like. It's not an executable file, so not a big worry. But you should clean up your temp files.


Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
You should also delete these files.

C:\WINDOWS\unvise32.exe
C:\WINDOWS\contact@simonbrook.com




Open Notepad, and copy everything in the code box below and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fixme.reg on your Desktop. Make sure there is NO blank line above "REGEDIT4"!

REGEDIT4

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Compliant"=-
"Local Service"=-
"Bin Personal Firewall"=-
"HLL Data Parameter"=-
"Microsoft Update Debugger"=-

[-HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Compliant"=-
"Local Service"=-
"Bin Personal Firewall"=-
"HLL Data Parameter"=-
"Microsoft Update Debugger"=-

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\3]
Locate fixme.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.



Reboot and post a new hijackthis log.
Let me know how everything is working now.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 latitudefilms

latitudefilms
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 01 September 2006 - 01:45 AM

Hi Sam,

Thanks again for your speedy response. :thumbsup:

I've followed your instructions, but had a snag -- and can't figure out what I am doing wrong...

I open notepad as you suggest, change the "Save As Type" to "All Files". Save it as fixme.reg on the Desktop, but when I click on it it just reopens in notepad, I don't get the "merge ith registry" option.

When I right-click on the file, I get a MERGE option, but when I select it it just opens the file exactly as it was in notepad. Why isn't it asking me if I want to merge with the registry?

Thanks

Simon

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:59 PM

Posted 01 September 2006 - 09:47 AM

Make sure that there is no blank line above REGEDIT4, but there is a blank line below it. The text needs to be spaced out exactly as it is in that quote box that I posted.

Let me know if you get it to work.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users