Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Surfsidekick And Trojans


  • This topic is locked This topic is locked
17 replies to this topic

#1 dawntreader3

dawntreader3

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 25 August 2006 - 09:06 PM

Hello,
I have been trying to help fix a computer that is now somehow riddled with Trojans, a worm and everything else. I have run Spybot, Ad-Aware, HijackThis, PC-Cillin & The Cleaner and gotten rid of hundreds of spyware, viruses and Trojans. But for the most part, these keep coming back because I am not getting rid of the source. Also, I have run Spybot and Ad-Aware in safe mode several times.
I followed the instructions to get rid of SurfSideKick, but none of the items matched exactly, so I wanted to make sure I was not missing anything. There are a few that are obviously bad (like the Hijacked Internet Access ones), so I tried to delete them and I got a message saying that they could not be deleted. I am sorry I do not have the exact words, but the message was shut down by someone before I could copy it. Any advise as to what I should do if it says I cannot delete the items again?
If anyone could help me, I would be eternally grateful :thumbsup:
Thank you!!

Here is the Logfile:

Logfile of HijackThis v1.99.1
Scan saved at 12:45:01 PM, on 8/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\Intuit\Entitlement Client v2\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ishost.exe
C:\WINDOWS\System32\isnotify.exe
C:\WINDOWS\System32\issearch.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\AOL\1141255393\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\zqskw.exe
C:\WINDOWS\ms0522911-7363.exe
C:\WINDOWS\System32\ismon.exe
C:\WINDOWS\Duce6.exe
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\WINDOWS\System32\4a27aa2e.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\webHancer\Programs\whagent.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\CsinsmNT.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\HijackThis\HijackThis.exe
C:\Program Files\Road Runner\Medic\RRMedic.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\jpcid.exe
F2 - REG:system.ini: UserInit=userinit.exe,ukilndv.exe
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\System32\ixt0.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray /deaf
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141255393\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\System32\wfxqhv.exe"
O4 - HKLM\..\Run: [defender] C:\\dfndrff_12.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_12.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [swovdv] C:\WINDOWS\System32\tgkedx.exe reg_run
O4 - HKLM\..\Run: [ms0522911-7363] C:\WINDOWS\ms0522911-7363.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [loaddr] C:\bchjabg.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [4a27aa2e.exe] C:\WINDOWS\System32\4a27aa2e.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [ptvwe] C:\WINDOWS\System32\tgkedx.exe reg_run
O4 - HKCU\..\Run: [4a27aa2e.exe] C:\Documents and Settings\James Horan\Local Settings\Application Data\4a27aa2e.exe
O4 - HKCU\..\Run: [Ultimate Defender] "C:\Program Files\Ultimate Defender\App.exe" hide
O4 - Startup: .protected
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Medic.lnk = C:\Program Files\Road Runner\Medic\RRMedic.exe
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\CsinsmNT.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: lnwfj.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by WebHancer
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab
O18 - Protocol: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - C:\WINDOWS\System32\QBPOSProtocol.dll
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\System32\xeymi.dll
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\fppm0371e.dll (file missing)
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\guard.tmp (file missing)
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINDOWS\System32\urroxtl.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Entitlement Service v2 - Intuit, Inc. - C:\Program Files\Common Files\Intuit\Entitlement Client v2\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lmab_device - Lexmark International, Inc. - C:\WINDOWS\System32\LMabcoms.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: QBPOS Database Extended Manager (QBPOSDBExtServices) - Intuit Inc. - C:\Program Files\Intuit\QuickBooks Point of Sale 5.0\DatabaseServer\QBPOSDBServiceEx.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Genuine Advantage Registration Service (wgareg) - Unknown owner -C:\WINDOWS\System32\wgareg.exe (file missing)

Edited by dawntreader3, 25 August 2006 - 09:08 PM.


BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:00 AM

Posted 26 August 2006 - 06:16 AM

Welcome aboard... :thumbsup:

Nice collection there :flowers:

Lets get started. 1) Please be patient 2) ASK if you have anything to ask 3) This might take considerable amount of time so please try to reply in timely manners 4) Make sure you are subscriped to this thread so you get an email notification anytime I reply -- from the right hand uppercorner of this topic, click on "Options" and choose "Track this Topic". Choose "Immediate Email notification" and hit "Subscripe".

-----

First, please download LSPfix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet & WebHancer.

To get rid of NewDotNet and WebHancer, go to:

Start > Control Panel > Add or Remove Programs and remove the following:

New.Net Applications or New.Net Domains (anything that says New.Net)

WebHancer or WebHancer Customer Companion (anything that says WebHancer)

If New.Net is not there, go here and follow Procedure 4; NewDotNet Removal Procedure 4.

If WebHancer is not there, please surf here, download & run the removal tool.

After the uninstallation, remember to delete this folder: C:\Program Files\NewDotNet (Or might be named New.Net)

Aswell as this folder: C:\Program Files\webHancer

Empty recycle bin.

In the event that you lose Internet access after removing New.Net & WebHancer, please double-click LSPFix.exe that you downloaded earlier. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.

----

Once that is done...

Please download SmitfraudFix © S!Ri
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

-----

Download Combofix to your desktop:
  • Double-click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply along with the C:\rapport.txt. :huh:
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#3 dawntreader3

dawntreader3
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 26 August 2006 - 10:31 AM

Dearest Rawe,
Thank you so much for your quick response! I wanted to let you know that since I am assisting a friend with this, I unfortunately am not with the evil machine at all times. However, I will be there later tonight, armed with the downloads on my keydrive and print-outs of your instrutctions so I can begin (or rather, continue) fighting my battle :thumbsup:
Also, I am going to turn the wireless back on (we have it turned off because of our lovely list of diseases!) so I will be able to access the Internet with my laptop and communicate with you :flowers: I will be there all next week during the day. Later tonight I will report back, and, I am guessing you might want me to post the logfile after I have followed your instructions, so I will copy and post it for you.
Starting Monday I will be there again, ready for phase 2.
I wanted to tell you to let you know that so you did not feel I was being rude by ignoring your request that I respond quickly. If it is too much trouble for you that I am not with the computer at all times (until Monday) , I understand. Thank you for your willingness to help!

Thank you again, Rawe! You are my hero :huh:

I will post again tonight~

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:00 AM

Posted 26 August 2006 - 10:50 AM

Sure thing :thumbsup:

Later tonight I will report back, and, I am guessing you might want me to post the logfile after I have followed your instructions, so I will copy and post it for you.

Yep it's all in the instructions listed which logs I need, usually they are from the tools we are going to run.

Starting Monday I will be there again, ready for phase 2.
I wanted to tell you to let you know that so you did not feel I was being rude by ignoring your request that I respond quickly. If it is too much trouble for you that I am not with the computer at all times (until Monday) , I understand.

Right, and no, I don't feel its rude or anything, you have to do what you have to do. As long as you stick to the instructions until I let you know when it's completely clean (since, even if the problems went away, it might not mean it's yet clean). :flowers:
Hi there, stranger!

#5 dawntreader3

dawntreader3
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 28 August 2006 - 08:46 PM

Hi there :thumbsup: Wow. Ok! I followed your instructions and I think I got rid of of those two beasts...I hope!
I did lose Internet access and I ran LSPFix.exe. There were no items on the right side, so I did nothing, but we still do not have Internet.

Here is the ComboFix File:


06-08-28 14:50:16.25
ComboFix 06.08.26BT - Running from: E:\

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\Duce6.exe
C:\WINDOWS\system32\zqskw.exe
C:\WINDOWS\thiselt.exe


((((((((((((((((((((((((((((((( Files Created from 2006-07-28 to 2006-08-28 ))))))))))))))))))))))))))))))))))


2006-08-28 14:16 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2006-08-28 14:16 42,496 --a------ C:\WINDOWS\SYSTEM32\swreg.exe
2006-08-28 14:16 40,960 --a------ C:\WINDOWS\SYSTEM32\swsc.exe
2006-08-28 14:16 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2006-08-28 13:49 53,120 --a------ C:\WINDOWS\optimize.exe
2006-08-28 13:49 42,944 --a------ C:\WINDOWS\pop06ap2.exe
2006-08-28 13:49 32,768 --a------ C:\WINDOWS\unstall.exe
2006-08-28 13:48 226,536 --a------ C:\WINDOWS\whCC-GIANT.exe
2006-08-28 13:48 139,264 --a------ C:\WINDOWS\MirarSetup_876073.exe
2006-08-28 13:48 115,160 --a------ C:\WINDOWS\Eim03.exe
2006-08-28 10:52 20,448 --ahs---- C:\WINDOWS\SYSTEM32\net32a.exe
2006-08-26 09:36 23,552 --a------ C:\WINDOWS\SYSTEM32\ukilndv.exe
2006-08-25 19:36 1,650,688 --a------ C:\WINDOWS\SYSTEM32\cdintf250.dll
2006-08-24 17:44 20,448 --ahs---- C:\WINDOWS\SYSTEM32\.exe
2006-08-23 13:21 13,312 --a------ C:\WINDOWS\SYSTEM32\4a27aa2e.exe
2006-08-22 15:43 214,748 --a------ C:\WINDOWS\Setup90.exe
2006-08-22 15:15 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2006-08-22 14:47 70,186 --a------ C:\WINDOWS\g732046.dll
2006-08-22 14:20 15,872 --a------ C:\WINDOWS\SYSTEM32\winrkq32.dll
2006-08-22 14:19 225,280 --ah----- C:\WINDOWS\SYSTEM32\tbhogt.dll
2006-08-22 14:12 234,272 -r--s---- C:\WINDOWS\SYSTEM32\DNRPSETU.DLL
2006-08-22 12:46 8,464 --a------ C:\WINDOWS\SYSTEM32\sporder.dll
2006-08-22 12:46 75,264 --a------ C:\bvdlfg.exe
2006-08-22 12:46 53,248 --a------ C:\bchjabg.exe
2006-08-22 12:46 2,560 --a------ C:\WINDOWS\ac3_0002.exe
2006-08-22 12:46 167,936 --ah----- C:\WINDOWS\SYSTEM32\tbhogttb.dll
2006-08-22 12:46 0 --a------ C:\wqeut.exe
2006-08-22 12:45 74,752 --a------ C:\mfvamyl.exe
2006-08-22 12:41 61,952 --a------ C:\WINDOWS\SYSTEM32\mam638cf.dll
2006-08-22 12:41 1,233 --a------ C:\WINDOWS\SYSTEM32\mam638cf.sys
2006-08-22 12:40 28,672 --------- C:\WINDOWS\SYSTEM32\iqqr.exe
2006-08-22 12:39 20,480 --a------ C:\WINDOWS\SYSTEM32\drload.exe
2006-08-22 12:39 2,368 --a------ C:\WINDOWS\SYSTEM32\SVKP.sys
2006-08-14 20:52 78,848 --a------ C:\WINDOWS\SYSTEM32\nsc26.dll
2006-08-11 12:05 155,648 --a------ C:\WINDOWS\ms0522911-7363.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-28 14:24 -------- d-------- C:\Program Files\The Cleaner
2006-08-28 13:52 -------- d-------- C:\Program Files\webHancer
2006-08-28 13:49 0 --a------ C:\CONFIG.SYS
2006-08-28 13:49 0 --a------ C:\AUTOEXEC.BAT
2006-08-28 10:52 20448 --ahs---- C:\WINDOWS\SYSTEM32\.exe
2006-08-26 21:18 -------- d-------- C:\Program Files\Common Files
2006-08-26 10:26 -------- d-------- C:\Program Files\America Online 8.0
2006-08-25 19:29 -------- d-------- C:\Program Files\Common Files\Intuit
2006-08-25 19:22 -------- d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2006-08-25 15:02 -------- d-------- C:\Program Files\Symantec
2006-08-25 14:22 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-25 13:39 -------- d-------- C:\Program Files\OfficeUpdate11
2006-08-24 18:33 -------- d-------- C:\Program Files\Outlook Express
2006-08-24 17:36 414720 --a------ C:\WINDOWS\SYSTEM32\WIAACMGR.EXE
2006-08-24 17:36 375808 --a------ C:\WINDOWS\SYSTEM32\CMD.EXE
2006-08-24 17:35 8192 --a------ C:\WINDOWS\winhlp32.exe
2006-08-24 17:35 80384 --a------ C:\WINDOWS\SYSTEM32\CHARMAP.EXE
2006-08-24 17:35 78848 --a------ C:\WINDOWS\SYSTEM32\msiexec.exe
2006-08-24 17:35 61440 --a------ C:\WINDOWS\SYSTEM32\CLEANMGR.EXE
2006-08-24 17:35 388608 --a------ C:\WINDOWS\SYSTEM32\mstsc.exe
2006-08-24 17:35 32768 --a------ C:\WINDOWS\SYSTEM32\ODBCAD32.EXE
2006-08-24 17:35 32256 --a------ C:\WINDOWS\SYSTEM32\WUPDMGR.EXE
2006-08-24 17:35 216064 --a------ C:\WINDOWS\SYSTEM32\fxscover.exe
2006-08-24 17:35 20480 --a------ C:\WINDOWS\SYSTEM32\ControlSuite.exe
2006-08-24 17:35 179200 --a------ C:\WINDOWS\SYSTEM32\accwiz.exe
2006-08-24 17:35 138752 --a------ C:\WINDOWS\SYSTEM32\SNDVOL32.EXE
2006-08-24 17:35 124416 --a------ C:\WINDOWS\SYSTEM32\SNDREC32.EXE
2006-08-24 17:35 1135616 --a------ C:\WINDOWS\SYSTEM32\NTBACKUP.EXE
2006-08-24 17:35 11264 --a------ C:\WINDOWS\SYSTEM32\fxssend.exe
2006-08-24 17:34 94208 --a------ C:\WINDOWS\BCMSMU.exe
2006-08-24 17:34 67584 --a------ C:\WINDOWS\SYSTEM32\magnify.exe
2006-08-24 17:34 53248 --a------ C:\WINDOWS\uni_ehhhh.exe
2006-08-24 17:34 53248 --a------ C:\WINDOWS\uneng.exe
2006-08-24 17:34 53248 --a------ C:\WINDOWS\AolCInUn.exe
2006-08-24 17:34 51200 --a------ C:\WINDOWS\SYSTEM32\narrator.exe
2006-08-24 17:34 47616 --a------ C:\WINDOWS\SYSTEM32\UTILMAN.EXE
2006-08-24 17:34 46080 --a------ C:\WINDOWS\setdebug.exe
2006-08-24 17:34 4096 --a------ C:\WINDOWS\lt.exe
2006-08-24 17:34 34304 --a------ C:\WINDOWS\SYSTEM32\RCIMLBY.EXE
2006-08-24 17:34 33792 --a------ C:\WINDOWS\Q330994.exe
2006-08-24 17:34 33792 --a------ C:\WINDOWS\oeuninst.exe
2006-08-24 17:34 33792 --a------ C:\WINDOWS\ieuninst.exe
2006-08-24 17:34 306688 --a------ C:\WINDOWS\IsUninst.exe
2006-08-24 17:34 212480 --a------ C:\WINDOWS\SYSTEM32\osk.exe
2006-08-24 16:41 -------- d-------- C:\Program Files\Internet Explorer
2006-08-24 15:59 504320 --a------ C:\WINDOWS\SYSTEM32\logonui(2).exe
2006-08-24 15:11 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2006-08-24 15:11 162304 --a------ C:\WINDOWS\UNWISE.EXE
2006-08-24 15:10 25600 --a------ C:\WINDOWS\TWUNK_32.EXE
2006-08-24 15:10 15360 --a------ C:\WINDOWS\taskman.exe
2006-08-24 15:09 65536 --a------ C:\WINDOWS\BCMSMD2K.exe
2006-08-24 13:56 -------- d-------- C:\Program Files\Windows NT
2006-08-24 13:56 -------- d-------- C:\Program Files\Windows Media Player
2006-08-24 13:42 -------- d-------- C:\Program Files\NetMeeting
2006-08-24 13:35 -------- d-------- C:\Program Files\Movie Maker
2006-08-24 13:08 134144 --a------ C:\WINDOWS\regedit.exe
2006-08-24 13:04 -------- d-------- C:\Documents and Settings\James Horan\Application Data\MSN6
2006-08-24 12:56 66048 --a------ C:\WINDOWS\notepad.exe
2006-08-23 19:16 -------- d-------- C:\Program Files\Intuit
2006-08-23 16:25 66048 --a------ C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
2006-08-23 15:18 -------- d-------- C:\Program Files\Online Services
2006-08-23 14:57 -------- d-------- C:\Program Files\Common Files\qozk
2006-08-23 13:20 155648 --a------ C:\WINDOWS\SYSTEM32\igfxtray.exe
2006-08-23 13:15 31248 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmpreflt.sys
2006-08-23 13:15 190480 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TmXPFlt.sys
2006-08-23 13:15 1022432 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\VSAPINT.SYS
2006-08-23 11:00 -------- d-------- C:\Program Files\Trend Micro
2006-07-28 14:11 -------- d-------- C:\Program Files\Common Files\aol
2006-07-26 08:27 -------- d-------- C:\Program Files\America Online 9.0
2006-07-11 14:26 -------- d-------- C:\Program Files\Lavasoft
2006-07-11 14:26 -------- d-------- C:\Documents and Settings\James Horan\Application Data\Lavasoft
2006-07-07 17:44 -------- d-------- C:\Program Files\Norton SystemWorks
2006-05-31 19:53 104008 --a------ C:\WINDOWS\SYSTEM32\AOLDial.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"BCMSMMSG"="BCMSMMSG.exe"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"DwlClient"="C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"tgcmd"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server /nosystray /deaf"
@=""
"mmtask"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"
"AcctMgr"="C:\\Program Files\\Norton SystemWorks\\Password Manager\\AcctMgr.exe /startup"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1141255393\\ee\\AOLSoftware.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SSC_UserPrompt"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe\""
"QD FastAndSafe"="C:\\Program Files\\Norton SystemWorks\\Norton CleanSweep\\QDCSFS.exe /startup"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"k6mmN5IOU"="\"C:\\WINDOWS\\System32\\wfxqhv.exe\""
"ACTX1"="C:\\WINDOWS\\v1201.exe"
"ms0522911-7363"="C:\\WINDOWS\\ms0522911-7363.exe"
"loaddr"="C:\\bchjabg.exe"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Antivirus\\pccguide.exe\""
"PCClient.exe"="\"C:\\Program Files\\Trend Micro\\Antivirus\\PCClient.exe\""
"TM Outbreak Agent"="\"C:\\Program Files\\Trend Micro\\Antivirus\\TMOAgent.exe\" /run"
"4a27aa2e.exe"="C:\\WINDOWS\\System32\\4a27aa2e.exe"
"tcactive"="C:\\Program Files\\The Cleaner\\tca.exe"
"tcmonitor"="C:\\Program Files\\The Cleaner\\tcm.exe"
"webHancer Survey Companion"="\"C:\\Program Files\\webHancer\\Programs\\whSurvey.exe\""
"pop06ap"="C:\\WINDOWS\\pop06ap2.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"RealPlayer"="\"C:\\Program Files\\Real\\RealPlayer\\realplay.exe\" /RunUPGToolCommandReBoot"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"
"4a27aa2e.exe"="C:\\Documents and Settings\\James Horan\\Local Settings\\Application Data\\4a27aa2e.exe"
"Ultimate Defender"="\"C:\\Program Files\\Ultimate Defender\\App.exe\" hide"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"SpybotSnD"="\"C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe\" /autocheck"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Common Files\\kyhe.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Online Services\\hofywy.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,58,02,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kzoq"="c:\\stub_113_4_0_4_0newer.exe"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kzoq"="c:\\stub_113_4_0_4_0newer.exe"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=""



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - James Horan.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
C:\WINDOWS\tasks\Symantec Drmc.job

Completion time: Mon 08/28/2006 14:51:01.31
ComboFix.txt
ComboFix2.txt
ComboFix3.txt






HERE IS THE RAPPORT FILE:




SmitFraudFix v2.81

Scan done at 14:47:49.20, Mon 08/28/2006
Run from E:\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

C:\

C:\uniq FOUND !

C:\WINDOWS

C:\WINDOWS\.protected FOUND !
C:\WINDOWS\pop06ap2.exe FOUND !

C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\ot.ico FOUND !

C:\Documents and Settings\James Horan\Application Data


Start Menu

C:\DOCUME~1\JAMESH~1\STARTM~1\Programs\Startup\.protected FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

C:\DOCUME~1\JAMESH~1\FAVORI~1

C:\DOCUME~1\JAMESH~1\FAVORI~1\Antivirus Test Online.url FOUND !

Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Common Files\\kyhe.html"
"SubscribedURL"=""
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Online Services\\hofywy.html"
"SubscribedURL"=""
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Scanning wininet.dll infection


End

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:00 AM

Posted 29 August 2006 - 06:09 AM

Before continuing the cleanup lets try getting that internet access back to the infected PC. :thumbsup:

Download and run WinsockXPFix.

Do an reg-backup first though. Then click the "Fix" button. Continue with any instructions it gives after that (mostly prompts probably if anything). Let me know how it works out :flowers:
Hi there, stranger!

#7 dawntreader3

dawntreader3
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 29 August 2006 - 08:33 AM

Hi :huh:
Ok, sounds good. If I am successful, I will post a reply from there. If not, I will have to wait until I get home later :thumbsup:
But I have a question: How do I do a reg-backup?
Sorry! Maybe I know this already... I am slow this morning :flowers:
Thank you again :huh:

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:00 AM

Posted 29 August 2006 - 11:00 AM

There's an button for ReG-Backup in the fix itself :thumbsup:
Hi there, stranger!

#9 dawntreader3

dawntreader3
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 30 August 2006 - 02:13 PM

What a day! Ok, I ran the program and did the Reg backup and restored Internet access.
Then, every time I went to Bleepingcomputer.com and clicked on the link to this discussion, the browser would suddenly close. I re-booted several times and it did the same thing. So I spent a long time on the phone with Linksys support to see if I could at least get the router working so I could post this using my laptop. That worked for a second, then I had no connection on either machine. I called back. I was up and running again until a little while ago, when inexplicably, only the wireless connection on my laptop worked.
A moment go, I reset the router and unplugged the modem etc..etc... and now I have a connection on both machines again! Phew :thumbsup:

Now, I just tried opening the link to this discussion again (on the desktop) and, once more, the browser suddenly shuts down. But apparently the Internet connection is fine. Perhaps this has something to do with how infected that computer is? Some of the links on the desktop are randomly unresponsive. After a re-boot they usually work, but that all depends.
So I am posting this from my laptop.

AHHHHHHH!!! :flowers:

Sorry for rambling, I just thought maybe I should let you know, just incase it matters...

Edited by dawntreader3, 30 August 2006 - 02:20 PM.


#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:00 AM

Posted 31 August 2006 - 01:57 AM

Ok so let me get this straight, you have internet access on the infected machine (good). But you can't access this discussion as the browser simply times out?

But you can access here with the clean machine.. Right? It's still helpful if you have the net on the infected machine. Simply print the instructions on the other computer and then follow them on the infected one?

Then post the logs here on the clean one.. But be sure to try on the infected one from time to time as it might just be because of the infections since you have a lot of them :thumbsup:
Hi there, stranger!

#11 dawntreader3

dawntreader3
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 31 August 2006 - 02:05 PM

You got it!
I am using my laptop (clean) here with the desktop (diiirrrrty!!).
I have basically been running Spybot, AdAware and The Cleaner (sometimes in safe mode) to keep the spyware under control while I work on it. However, I thought I got rid of WebHancer (Spybot said it fixed it after I followed the steps to uninstall it), but Spybot found it again today and said it could not remove it.
I think this means that another virus that I have not gotten rid of is re-installing it. So I am getting rid of the symptoms, not the diseases?

:thumbsup:

What should I do next?
You are the best~ Thank you for your continued help :flowers:

Edited by dawntreader3, 31 August 2006 - 02:06 PM.


#12 dawntreader3

dawntreader3
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 31 August 2006 - 05:29 PM

Ok, I believe our efforts have been vetoed...The friend I am helping wants to get a new computer :huh:
I told them it was fixable, but I understand where they are coming from... One does need a computer, after all :huh:

You are a sweetheart :thumbsup:
Will you marry me?

Don't worry... I am female :flowers: But is it sexist of me to assume you are male??? Yep, it is.

Ha ha! I am ridiculous! Thank you again for putting up with me~ I learned a lot :huh:

Although, I have to say, I am a bit disappointed. I wanted to know what to do next... I know you could have fixed it vicariously through me! The thing probably needs to be reformatted, though...

#13 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:00 AM

Posted 31 August 2006 - 11:53 PM

Next would have been SmitFraudFix cleaning, aswell as Ewido Anti-Spyware + Alcanshorty.bfu.... That would have cleaned massively. Let me know if your friend still comes to other thoughts about this and wants to get this one cleaned :thumbsup: And yes I'm male, will be turning 16 next month :flowers:
Hi there, stranger!

#14 dawntreader3

dawntreader3
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 01 September 2006 - 10:53 AM

I knew it was about to get good! Oh well, if they change their minds, you will be hearing from me :thumbsup:

Almost 16, eh? Ok, well I am a few years older than you...but not by too much, actually :flowers:
It would still make me a cradle-robber though :huh:

#15 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:00 AM

Posted 10 September 2006 - 10:32 AM

Edit: Welcome back :thumbsup:

Please post back with a fresh HijackThis log and also delete your current SmitFraudFix as it has been updated, then download the latest one from the same link as earlier and post the log from option #1. :flowers:

Edited by Rawe, 10 September 2006 - 10:45 AM.

Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users