Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Alcan Worm Plus Surf Sidekick 3 / Look2me Infections


  • This topic is locked This topic is locked
15 replies to this topic

#1 Egglestone

Egglestone

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 27 August 2006 - 06:48 PM

Hi all,

I believe I downloaded an infected game file, and ran it (about 3 times because of course it wasn't installing the game!) and then was subjected to repeated popup IE screens, generally advertising websites, and WinFix or something else that I wouldn't touch if you paid me. SurfSideKick installed, and a Look2Me search did find L2M references.

I ran many runs of AdAware and Spybot, also Start-Up Cop, and accessed Add/Remove progs and removed the SSKs. They of course came back. I have continued with many more runs of various cleaners including HiJack this, and *seem* to have removed SSK / Look2Me, but I'm no pro.

Then, Alcan started showing up in AdAware. Spybot is fine, but AdAware keeps finding these. I CAN repair them with AdAware but they regenerate, usually with a boot. I ran AdAware with System Restore off and rebooted, but they still returned. So I'm now out of ideas.

Once I realised the browser windows were coming from the web and, I believe propogating via web access (could be wrong), I disconnected the net. Haven't been connected since (about a week). I have cleaned up the PC and removed heaps of unused programs and temp files etc. But I'm not game to connect to the net until I run this past you folks.

Therefore I have not yet run every one of the prep tools you have suggested.

CleanMgr - yes (including compress, which took all day, but felt good to do)
(I also searched the PC for other temp files etc and cleaned heaps more out)

AdAware & Spybot - Probably about 15 AdAware scans and 8 or 9 SpyBots

HouseCall, Panda, BitDefender - haven't run them yet, afraid to connect to the net (typing this at work).
(once I download them, do I need the net to run them?)

McAfee Stinger - same as above, afraid to run it yet.

Firewall - always running

Latest Security Updates - yes it automatically updates

HiJack This Log

Please refer below for log (or state if you need me to do the above first) :

~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 7:43:46 AM, on 28/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\system32\winlog.exe
C:\kybrdff_11a.exe
C:\dfndrff_11a.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\{F4BD7308-0510-1033-0514-02080620003d}\Update.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://au4.hpwis.com/
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_11a.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_11a.exe
O4 - HKLM\..\Run: [xqh21422] RUNDLL32.EXE w260dfb4.dll,n 0032141f0000000a260dfb4
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O8 - Extra context menu item: &Define - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

~~~~~~~~~~~~~~~~~~

Any assistance greatly appreciated!

Cheers,

Kev

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:30 PM

Posted 27 August 2006 - 09:16 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Egglestone

Egglestone
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 28 August 2006 - 06:59 PM

Hi Sam, thanks for your help!


~~~~~~~~~~~~~~~~~~~~~~~~~~


Owner - 06-08-28 18:29:12.26
ComboFix 06.08.27BT - Running from: E:\

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{B596C23F-F6D0-40F7-A9D1-4FC62F2858B6}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B596C23F-F6D0-40F7-A9D1-4FC62F2858B6}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B596C23F-F6D0-40F7-A9D1-4FC62F2858B6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B596C23F-F6D0-40F7-A9D1-4FC62F2858B6}\InprocServer32]
@="C:\\WINDOWS\\system32\\rahx32.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{6BC4F4F2-31FC-4E38-B90E-32AD8C95FA94}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6BC4F4F2-31FC-4E38-B90E-32AD8C95FA94}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6BC4F4F2-31FC-4E38-B90E-32AD8C95FA94}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6BC4F4F2-31FC-4E38-B90E-32AD8C95FA94}\InprocServer32]
@="C:\\WINDOWS\\system32\\dhmclien.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\SYSTEM32\jt2807fue.dll
C:\WINDOWS\SYSTEM32\jt8607lse.dll
C:\WINDOWS\SYSTEM32\k6no0g53e6.dll
C:\WINDOWS\SYSTEM32\PCXTHK32.DLL
C:\WINDOWS\SYSTEM32\rahx32.dll
C:\WINDOWS\SYSTEM32\WADRMNet.dll
C:\WINDOWS\SYSTEM32\guard.tmp


Granting sedebugprivilege to Administrators ... successful


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\drsmartload2.dat
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\newname.dat
C:\WINDOWS\teller2.chk
C:\dfndrff_11a.exe
C:\drsmartload.exe
C:\drsmartload45a999.exe
C:\drsmartload46a999.exe
C:\drsmartload849a999.exe
C:\kybrdff_11a.exe
C:\nwnmff_11.exe
C:\WINDOWS\system32\aaa00000.dll
C:\WINDOWS\system32\aaa00000.sys
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\winlog.exe
C:\ac3_0010.exe
C:\deskbar.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\SYSTEM32\atmtd.dll.tmp
C:\WINDOWS\system32\w008528d.dll
C:\WINDOWS\system32\w00c4839.dll
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Deskbar
C:\WINDOWS\IA
C:\WINDOWS\system32\winlog.exe
C:\Program Files\outlook
C:\Program Files\Common Files\{F4BD7308-0510-1033-0514-02080620003d}


((((((((((((((((((((((((((((((( Files Created from 2006-07-28 to 2006-08-28 ))))))))))))))))))))))))))))))))))


2006-08-20 10:32 29,696 --a------ C:\WINDOWS\SYSTEM32\w099938d.dll
2006-08-17 22:12 61,952 --a------ C:\WINDOWS\SYSTEM32\xqh21422.dll
2006-08-17 22:12 1,167 --a------ C:\WINDOWS\SYSTEM32\xqh21422.sys
2006-08-17 22:10 29,696 --a------ C:\WINDOWS\SYSTEM32\w260dfb4.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-28 18:33 -------- d-------- C:\Program Files\Common Files
2006-08-28 07:43 -------- d-------- C:\Program Files\HijackThis
2006-08-19 22:18 -------- d-------- C:\Program Files\Oberon Media
2006-08-19 22:18 -------- d-------- C:\Program Files\Common Files\Oberon Media
2006-08-19 13:32 -------- d-------- C:\Program Files\Croteam
2006-08-19 00:04 -------- d-------- C:\Program Files\Java
2006-08-18 23:53 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-08-17 22:17 -------- d-------- C:\Program Files\Common Files\uqku
2006-08-10 03:06 -------- d-------- C:\Program Files\Internet Explorer
2006-07-27 23:24 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-21 18:24 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll
2006-07-17 23:36 -------- d-------- C:\Program Files\Adobe
2006-07-17 23:34 -------- d-------- C:\Documents and Settings\Owner\Application Data\Leadertech
2006-07-17 23:33 -------- d-------- C:\Program Files\Common Files\Adobe
2006-07-06 19:28 -------- d-------- C:\Program Files\WinZip
2006-07-04 07:37 -------- d-------- C:\Documents and Settings\Owner\Application Data\AdobeAUM
2006-06-28 01:47 -------- d-------- C:\Program Files\Microsoft Visual Basic


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"hp Silent Service"="C:\\Windows\\system32\\HpSrvUI.exe"
"hpScannerFirstBoot"="c:\\hp\\drivers\\scanners\\scannerfb.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"xqh21422"="RUNDLL32.EXE w260dfb4.dll,n 0032141f0000000a260dfb4"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe /c"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://www.visionsfantastic.com/daddyb/DL_CastleRain_1024x768_wm.bmp"
"SubscribedURL"="http://www.visionsfantastic.com/daddyb/DL_CastleRain_1024x768_wm.bmp"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,12,02,00,00,23,00,00,00,00,04,00,00,00,03,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,12,02,00,00,23,00,00,00,00,04,00,00,00,03,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"RunNarrator"=""

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"RunNarrator"=""

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\hp center.lnk"
"backup"="C:\\WINDOWS\\pss\\hp center.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HPCENT~1\\137903\\Program\\BACKWE~1.EXE -startup"
"item"="hp center"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~4\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DownloadAccelerator]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DAP"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\DAP\\DAP.EXE /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NPS Event Checker]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="npscheck"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Navnt\\npscheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PreloadApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="setup"
"hkey"="HKLM"
"command"="c:\\hp\\drivers\\printers\\photosmart\\hphprld.exe c:\\hp\\drivers\\printers\\photosmart\\setup.exe -d"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="evntsvc"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Real\\Update_OB\\evntsvc.exe -osboot"
"inimapping"="0"



Completion time: Mon 28/08/2006 18:34:17.76
ComboFix.txt

~~~~~~~~~~~~~~~~

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:30 PM

Posted 28 August 2006 - 08:00 PM

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\SYSTEM32\w099938d.dll
    C:\WINDOWS\SYSTEM32\xqh21422.dll
    C:\WINDOWS\SYSTEM32\xqh21422.sys
    C:\WINDOWS\SYSTEM32\w260dfb4.dll



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
Please post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Egglestone

Egglestone
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 29 August 2006 - 05:45 PM

*** Please note the following consists of 1) Killbox log, 2) further note re Killbox, 3) advice of an error message and 3) HiJackThis log

~~~~~~~~~~~~~~~~~~~

Pocket Killbox version 2.0.0.648
Running on Windows XP as Owner(Administrator)
was started @ Tuesday, August 29, 2006, 1:31 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\w099938d.dll


# 2 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\xqh21422.dll


# 3 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\xqh21422.sys


# 4 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\w260dfb4.dll


I Rebooted @ 1:42:58 PM
Killbox Closed(Exit) @ 1:42:59 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Owner(Administrator)
was started @ Tuesday, August 29, 2006, 1:46 PM

~~~~~~~~~

Note, while running Killbox, I am happy to report that the restart occurred ok, and that there were no PendingFileRenameOperations prompts at all.

~~~~~~~~~

RUNDLL
Error loading w260dfb4.dll
The specified module could not be found.
(OK)

(This error occurred upon reboot. It also occurred at a later stage again when I rebooted. When OK'ing the prompt, there was no further hindrance from this event)

~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 1:48:59 PM, on 29/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://au4.hpwis.com/
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [xqh21422] RUNDLL32.EXE w260dfb4.dll,n 0032141f0000000a260dfb4
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O8 - Extra context menu item: &Define - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Edited by Egglestone, 29 August 2006 - 05:46 PM.


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:30 PM

Posted 30 August 2006 - 02:04 PM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [xqh21422] RUNDLL32.EXE w260dfb4.dll,n 0032141f0000000a260dfb4



==========


Please download and install AVG antivirus. Follow the prompts to download and install all updates and then run a complete scan.


==========


Update Java:
  • Click Start -> Control Panel -> Add/Remove Programs
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • The current version of Java can be downloaded from http://java.sun.com/javase/downloads/index.jsp Scroll down the page to 'Java Runtime Environment (JRE) 5.0 Update 8' and press the 'Download' button. On the new web page, click the 'Accept License Agreement' button. Then select 'Windows Offline Installation, Multi-language' in the Windows Platform area just below the Accept button.
=========


Reboot and post a new hijackthis log.
Let me know of any problems that you are still having.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Egglestone

Egglestone
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 31 August 2006 - 06:07 PM

Please note that the following consists of:
1) A quick summary of the results of following the steps suggested above,
2) A *summarised* log from the AVG scan and
3) A HiJackThis log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~
As requested I ran HJT and selected the two lines for removal.
I then downloaded AVG and installed.
For the first time in days I connected to the net to get the latest defs for AVG. I disconnected again once updated.
A full scan took 2 hours and found ~3600 infected files (not a typo!).
There seemed to be no facility for attempting to clean, quarantine or delete them from the scan result.
I then removed a Java from Add/Remove and successfully installed the one suggested above.
AVG then brought my attention to some of the files that the scan found, and *did* give me the option to quarantine, which I did (files placed in Virus Vault listed directly below).
C:\!KillBox\w099938d.dll Trojan horse Downloader.Generic2.KMX Infected
C:\!KillBox\w260dfb4.dll Trojan horse Downloader.Generic2.KMX Infected
C:\Documents and Settings\All Users\Documents\NeroASM.txt Virus identified Worm/Agobot.23.BQ Infected

I rebooted, happy to say that the .dll error of previous boots no longer appears.
I then ran HJT again (log attached).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The following is a *summarised* AVG scan log. As it found 3600ish infected files, and 3580ish of them were of an identical nature, I have described that section in short, rather than listing every file.

Partition table (MBR) - OK - Quick checked
Boot sector of disk C: - OK - Quick checked
System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Load Scanned
System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Run Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Run Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServices Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Run Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServices Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit Scanned
System registry SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell Scanned
System registry exefile\shell\open\command Scanned
System registry scrfile\shell\open\command Scanned
System registry scrfile\shell\config\command Scanned
System registry batfile\shell\open\command Scanned
System registry cmdfile\shell\open\command Scanned
System registry comfile\shell\open\command Scanned
System registry piffile\shell\open\command Scanned
System registry giffile\shell\open\command Scanned
System registry htmlfile\shell\open\command Scanned
System registry htafile\shell\open\command Scanned
System registry jpegfile\shell\open\command Scanned
System registry txtfile\shell\open\command Scanned
System registry regfile\shell\open\command Scanned
System registry cplfile\shell\cplopen\command Scanned
System registry Word.Document.8\shell\open\command Scanned
System registry WordPad.Document.1\shell\open\command Scanned
System registry inffile\shell\open\command Scanned
System registry vbsfile\shell\open\command Scanned
System registry vbefile\shell\open\command Scanned
C:\HP\KBD\KBD.EXE - OK - Quick checked
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe - OK - Quick checked
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe - OK - Quick checked
C:\Program Files\IncrediMail\bin\IncMail.exe - OK - Quick checked
C:\Program Files\Internet Explorer\iexplore.exe - OK - Quick checked
C:\Program Files\Macromedia\Fireworks MX\Fireworks.exe - OK - Quick checked
C:\Program Files\Microsoft Office\Office\WINWORD.EXE - OK - Quick checked
C:\WINDOWS\SMINST\Recguard.exe - OK - Quick checked
C:\WINDOWS\System32\hkcmd.exe - OK - Quick checked
C:\WINDOWS\System32\mshta.exe - OK - Quick checked
C:\WINDOWS\regedit.exe - OK - Quick checked
C:\WINDOWS\system32\ps2.EXE - OK - Quick checked
C:\WINDOWS\system32\rundll32.exe - OK - Quick checked
C:\WINDOWS\system32\shell32.dll - OK - Quick checked
C:\Windows\system32\HpSrvUI.exe - OK - Quick checked
c:\hp\drivers\scanners\ScannerFB.EXE - OK - Quick checked
c:\windows\system\hpsysdrv.exe - OK - Quick checked
C:\WINDOWS\system32\kernel32.dll - OK - Quick checked
C:\WINDOWS\system32\wsock32.dll - OK - Quick checked
C:\WINDOWS\system32\user32.dll - OK - Quick checked
C:\WINDOWS\system32\shell32.dll - OK - Quick checked
C:\WINDOWS\system32\ntoskrnl.exe - OK - Quick checked
C:\WINDOWS\system32\drivers\etc\hosts - OK - Quick checked
C:\!KillBox\w099938d.dll Trojan horse Downloader.Generic2.KMX Infected
C:\!KillBox\w260dfb4.dll Trojan horse Downloader.Generic2.KMX Infected
C:\!KillBox\xqh21422.dll Trojan horse Downloader.Generic2.KAW Infected
C:\Documents and Settings\All Users\Documents\NeroASM.txt Virus identified Worm/Agobot.23.BQ Infected
C:\Documents and Settings\Owner\Complete\(203 Worst Wrecks and Crashes Caught On Tape).zip Virus identified Worm/VB.SO Infected
******************************
I have truncated this section as it consists of approx 3500 files similar to the ones above and below.
- They are all located in the "Complete" folder (which does not seem to exist even amongst hidden files/folders nor through the Explore function.
- Every one has a file description to pass it off as a game file, a video file, or something similar. There were World Of Warcraft files, TV station files, porn files,
- I do not recognise any of the files as anything I have ever downloaded, mentioned or even seen advertised.
- Every one is described as having a Worm/VB.SO infection.
- While AVG reported all these as infected, it would not let me Heal, Quarantine or Delete any of them (or any other infected file, for that matter).
- I remember in the past seeing AdAware Personal check these files and not report any suspicion.
******************************
C:\Documents and Settings\Owner\Complete\[zw] dot Hack Roots 18 Star Ocean (h264) [9DB77F73] mkv.zip Virus identified Worm/VB.SO Infected
C:\Program Files\Common Files\uqku\uqkua.exe Trojan horse Downloader.Generic2.HQQ Infected
C:\Program Files\Common Files\uqku\uqkul.exe Trojan horse Downloader.Generic2.HQR Infected
C:\Program Files\Common Files\uqku\uqkum.exe Trojan horse Downloader.Generic.JAD Infected
C:\Program Files\Common Files\uqku\uqkup.exe Trojan horse Downloader.Generic2.HQP Infected
C:\WINDOWS\SYSTEM32\winlog.exe Trojan horse IRC/BackDoor.SdBot.VJZ Infected
System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Load Scanned
System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Run Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Run Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServices Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Run Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServices Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit Scanned
System registry SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell Scanned
System registry exefile\shell\open\command Scanned
System registry scrfile\shell\open\command Scanned
System registry scrfile\shell\config\command Scanned
System registry batfile\shell\open\command Scanned
System registry cmdfile\shell\open\command Scanned
System registry comfile\shell\open\command Scanned
System registry piffile\shell\open\command Scanned
System registry giffile\shell\open\command Scanned
System registry htmlfile\shell\open\command Scanned
System registry htafile\shell\open\command Scanned
System registry jpegfile\shell\open\command Scanned
System registry txtfile\shell\open\command Scanned
System registry regfile\shell\open\command Scanned
System registry cplfile\shell\cplopen\command Scanned
System registry Word.Document.8\shell\open\command Scanned
System registry WordPad.Document.1\shell\open\command Scanned
System registry inffile\shell\open\command Scanned
System registry vbsfile\shell\open\command Scanned
System registry vbefile\shell\open\command Scanned
C:\HP\KBD\KBD.EXE - OK - Quick checked
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe - OK - Quick checked
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe - OK - Quick checked
C:\Program Files\IncrediMail\bin\IncMail.exe - OK - Quick checked
C:\Program Files\Internet Explorer\iexplore.exe - OK - Quick checked
C:\Program Files\Macromedia\Fireworks MX\Fireworks.exe - OK - Quick checked
C:\Program Files\Microsoft Office\Office\WINWORD.EXE - OK - Quick checked
C:\WINDOWS\SMINST\Recguard.exe - OK - Quick checked
C:\WINDOWS\System32\hkcmd.exe - OK - Quick checked
C:\WINDOWS\System32\mshta.exe - OK - Quick checked
C:\WINDOWS\regedit.exe - OK - Quick checked
C:\WINDOWS\system32\ps2.EXE - OK - Quick checked
C:\WINDOWS\system32\rundll32.exe - OK - Quick checked
C:\WINDOWS\system32\shell32.dll - OK - Quick checked
C:\Windows\system32\HpSrvUI.exe - OK - Quick checked
c:\hp\drivers\scanners\ScannerFB.EXE - OK - Quick checked
c:\windows\system\hpsysdrv.exe - OK - Quick checked

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 10:38:25 PM, on 31/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\fxssvc.exe
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://au4.hpwis.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O8 - Extra context menu item: &Define - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Edited by Egglestone, 31 August 2006 - 06:10 PM.


#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:30 PM

Posted 01 September 2006 - 08:50 AM

I think you may be misintrepeting AVG's results. Many of the items you listed were shown to be ok, which means not infected.

As far as the Complete folder that contains many infected files, someone has been doing some filesharing on this computer. This may have been some time ago and I don't see any signs of recent use in your Combofix log. I would advise to delete the entire folder.

Click Start -> My Computer.
Go to Local Disc (C:)
Go to Documents and Settings
Go to Owner

Now you should be able to see the Complete folder.
Right click on it and select Delete.


============


Now since you were heavily infected on this computer I would like to get another excellent anti-malware program that will compliment AVG very well. And we also want to get another virus scan, this time online.


Please download Ewido Anti-spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run Ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close Ewido anti-spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
  • Clean out your Temporary Internet files
    • Quit Internet Explorer and quit any instances of Windows Explorer.
    • Click Start -> Control Panel and then double-click Internet Options.
    • On the General tab, click Delete Files under Temporary Internet Files.
    • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
    • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
    • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
    • Click OK.
    IMPORTANT: Close all windows and do not open any other windows or programs while Ewido is scanning, it may interfere with the scanning proccess:

  • Lauch Ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • Ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close Ewido and reboot your system back into Normal Mode and post the results of the Ewido scan report.
============


Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Egglestone

Egglestone
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 02 September 2006 - 01:57 AM

Please note that the following consists of :
1) Response to your {Complete} folder suggestions.
1a) AVG log explanation.
1b) FileSharing?
1c) {Complete} folder.
2) Ewido log.
3) Further AVG log which ran (autoscheduled) similar time as the Panda ActiveScan.
3) Panda ActiveScan log.
4) HiJackThis log.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This section is a response to additional comments you made at the top of your post :
Yep many of AVG's items listed were indeed ok, I just wanted to list the log in full so it was clear.
BUT there is a section in the middle of the log (my previous post) that I truncated because it consisted of around 3500 files, all in the Complete folder, all reported as infected. I repeated that portion of the log below (the full list is in the Ewido log further down) :

C:\Documents and Settings\Owner\Complete\(203 Worst Wrecks and Crashes Caught On Tape).zip Virus identified Worm/VB.SO Infected
******************************
I have truncated this section as it consists of approx 3500 files similar to the ones above and below.
- They are all located in the "Complete" folder (which does not seem to exist even amongst hidden files/folders nor through the Explore function.
- Every one has a file description to pass it off as a game file, a video file, or something similar. There were World Of Warcraft files, TV station files, porn files,
- I do not recognise any of the files as anything I have ever downloaded, mentioned or even seen advertised.
- Every one is described as having a Worm/VB.SO infection.
- While AVG reported all these as infected, it would not let me Heal, Quarantine or Delete any of them (or any other infected file, for that matter).
- I remember in the past seeing AdAware Personal check these files and not report any suspicion.
******************************
C:\Documents and Settings\Owner\Complete\[zw] dot Hack Roots 18 Star Ocean (h264) [9DB77F73] mkv.zip Virus identified Worm/VB.SO Infected

Re the filesharing, we had LimeWire installed until recently (it started starting TWO LimeWires, just completely bogging down the PC, so we uninstalled it). It would have been through LimeWire that I accidentally downloaded the SSK etc, thinking it was a game file (the game setup file didn't install anything noticeably, then the ads started). All those 3500 files though, we didn't download them or share them. Neither wife nor I recognise a single one.
Re deleting the {Complete} folder, I would do that BUT the folder does not appear. Not with Explore (MY Computer etc), nor with the Explore Search function. I also checked under some of the nuances such as how files listed in the 'Documents' folder might through My Computer actually be in the 'My Documents' folder. No sign. Currently, I have just now looked for it under the cmd DOS prompt but there is no sign, THOUGH Ewido found and blasted all the 3500 files so maybe it got rid of the folder?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Ewido log (sorry mate, this is gonna be one heck of a list. The max characters here is 100000, and this is 500000 so I again will only show a truncated selection of the similar ones) :

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:43:04 AM 2/09/2006

+ Scan result:



HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup (quarantined).
HKU\S-1-5-21-3725260815-2188283067-2291903390-1003\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup (quarantined).
HKU\S-1-5-21-3725260815-2188283067-2291903390-1003\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\winlog.exe -> Backdoor.Rbot : Cleaned with backup (quarantined).
C:\Program Files\Common Files\uqku\uqkup.exe -> Downloader.TSUpdate.f : Cleaned with backup (quarantined).
C:\Program Files\Common Files\uqku\uqkua.exe -> Downloader.TSUpdate.l : Cleaned with backup (quarantined).
C:\Program Files\Common Files\uqku\uqkum.exe -> Downloader.TSUpdate.n : Cleaned with backup (quarantined).
C:\Program Files\Common Files\uqku\uqkul.exe -> Downloader.TSUpdate.r : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Complete\(203 Worst Wrecks and Crashes Caught On Tape).zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Complete\-Stephen King - The Girl Who Loved Tom Gordon (64k) UA.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Complete\086 Playboy Intimate Workout For Lovers DVD-Rip.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Complete\2 Lesben in der Bar fingern sich.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
~~~~~~~~~~~
I have cropped out many thousands of additional {Complete} folder infections that are basically the same as those above and below
~~~~~~~~~~~
C:\Documents and Settings\Owner\Complete\w3IDE NexGen Edition 2.0.0c.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Complete\wAPI Monitor for Windows 3.1.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Complete\wArcanoid V The Solar System 3.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Complete\wBoard 1.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Complete\webGuru 1.4.2.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Complete\webcamAMP 1.4.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Complete\www moviez to Reservoir Dogs EMUDVD-Unleashed + Webseed.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Complete\www torrent-galaxy to Darkstar One-RELOADED.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).


::Report end

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A further AVG scan ran as it seems to have determined for itself a daily can schedule. Fine by me! (Again, it wouldn't let me quarantine/heal/delete any of the infected listings, BUT later put one of them back up on screen, and I was then able to quarantine it. It was one of the restores) :

"Partition table (MBR)","- OK -","Quick checked"
"Boot sector of disk C:","- OK -","Quick checked"
"System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Load","","Scanned"
"System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Run","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\Run","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnce","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServices","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\Run","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnce","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServices","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit","","Scanned"
"System registry SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell","","Scanned"
"System registry exefile\shell\open\command","","Scanned"
"System registry scrfile\shell\open\command","","Scanned"
"System registry scrfile\shell\config\command","","Scanned"
"System registry batfile\shell\open\command","","Scanned"
"System registry cmdfile\shell\open\command","","Scanned"
"System registry comfile\shell\open\command","","Scanned"
"System registry piffile\shell\open\command","","Scanned"
"System registry giffile\shell\open\command","","Scanned"
"System registry htmlfile\shell\open\command","","Scanned"
"System registry htafile\shell\open\command","","Scanned"
"System registry jpegfile\shell\open\command","","Scanned"
"System registry txtfile\shell\open\command","","Scanned"
"System registry regfile\shell\open\command","","Scanned"
"System registry cplfile\shell\cplopen\command","","Scanned"
"System registry Word.Document.8\shell\open\command","","Scanned"
"System registry WordPad.Document.1\shell\open\command","","Scanned"
"System registry inffile\shell\open\command","","Scanned"
"System registry vbsfile\shell\open\command","","Scanned"
"System registry vbefile\shell\open\command","","Scanned"
"C:\HP\KBD\KBD.EXE","- OK -","Quick checked"
"C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe","- OK -","Quick checked"
"C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe","- OK -","Quick checked"
"C:\Program Files\Internet Explorer\iexplore.exe","- OK -","Quick checked"
"C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe","- OK -","Quick checked"
"C:\Program Files\Macromedia\Fireworks MX\Fireworks.exe","- OK -","Quick checked"
"C:\Program Files\Microsoft Office\Office\WINWORD.EXE","- OK -","Quick checked"
"C:\Program Files\ewido anti-spyware 4.0\ewido.exe","- OK -","Quick checked"
"C:\WINDOWS\SMINST\Recguard.exe","- OK -","Quick checked"
"C:\WINDOWS\System32\hkcmd.exe","- OK -","Quick checked"
"C:\WINDOWS\System32\mshta.exe","- OK -","Quick checked"
"C:\WINDOWS\regedit.exe","- OK -","Quick checked"
"C:\WINDOWS\system32\ps2.EXE","- OK -","Quick checked"
"C:\WINDOWS\system32\rundll32.exe","- OK -","Quick checked"
"C:\WINDOWS\system32\shell32.dll","- OK -","Quick checked"
"C:\Windows\system32\HpSrvUI.exe","- OK -","Quick checked"
"c:\hp\drivers\scanners\ScannerFB.EXE","- OK -","Quick checked"
"c:\windows\system\hpsysdrv.exe","- OK -","Quick checked"
"C:\WINDOWS\system32\kernel32.dll","- OK -","Quick checked"
"C:\WINDOWS\system32\wsock32.dll","- OK -","Quick checked"
"C:\WINDOWS\system32\user32.dll","- OK -","Quick checked"
"C:\WINDOWS\system32\shell32.dll","- OK -","Quick checked"
"C:\WINDOWS\system32\ntoskrnl.exe","- OK -","Quick checked"
"C:\WINDOWS\system32\drivers\etc\hosts","- OK -","Quick checked"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP1\A0000036.exe","Trojan horse Generic.ZXO","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP1\A0000037.exe","Trojan horse Downloader.Generic2.LGK","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP1\A0000038.exe","Trojan horse Downloader.Generic2.LEV","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP1\A0000039.exe","Trojan horse Downloader.Generic2.LEV","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP1\A0000040.exe","Trojan horse Downloader.Generic2.LEV","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP1\A0000041.exe","Trojan horse BackDoor.Generic3.IEQ","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP1\A0000042.exe","Trojan horse Downloader.VB.FU","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP1\A0000043.dll","Trojan horse Downloader.Generic2.KAW","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP1\A0000046.exe","Trojan horse Downloader.Generic2.HBY","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP1\A0000049.dll","Trojan horse Downloader.Generic2.KMX","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP1\A0000050.dll","Trojan horse Downloader.Generic2.KMX","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP1\A0000058.exe","Virus identified Worm/VB.SO","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP1\A0000059.dll","Trojan horse Downloader.Agent.ETT","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP1\A0000060.exe","Trojan horse Downloader.Generic2.JVR","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP1\A0000061.dll","Trojan horse Look2me","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP1\A0000062.dll","Trojan horse Look2me","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP1\A0000063.dll","Trojan horse Look2me","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP1\A0000064.DLL","Trojan horse Look2me","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP1\A0000065.dll","Trojan horse Look2me","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP1\A0000066.dll","Trojan horse Look2me","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP2\A0000137.dll","Trojan horse Downloader.Generic2.KMX","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP2\A0000138.dll","Trojan horse Downloader.Generic2.KAW","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP2\A0000140.dll","Trojan horse Downloader.Generic2.KMX","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP5\A0000380.dll","Trojan horse Downloader.Generic2.KAW","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP5\A0000381.dll","Trojan horse Downloader.Generic2.KMX","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP5\A0000382.dll","Trojan horse Downloader.Generic2.KMX","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP6\A0000426.exe","Trojan horse Downloader.Generic2.HQQ","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP6\A0000427.exe","Trojan horse Downloader.Generic2.HQR","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP6\A0000428.exe","Trojan horse Downloader.Generic.JAD","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP6\A0000429.exe","Trojan horse Downloader.Generic2.HQP","Infected"
"C:\System Volume Information\_restore{3142E0F6-13C5-4452-8E86-A62A8B6CB5A3}\RP6\A0000430.exe","Trojan horse IRC/BackDoor.SdBot.VJZ","Infected"
"System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Load","","Scanned"
"System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Run","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\Run","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnce","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServices","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\Run","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnce","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServices","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit","","Scanned"
"System registry SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell","","Scanned"
"System registry exefile\shell\open\command","","Scanned"
"System registry scrfile\shell\open\command","","Scanned"
"System registry scrfile\shell\config\command","","Scanned"
"System registry batfile\shell\open\command","","Scanned"
"System registry cmdfile\shell\open\command","","Scanned"
"System registry comfile\shell\open\command","","Scanned"
"System registry piffile\shell\open\command","","Scanned"
"System registry giffile\shell\open\command","","Scanned"
"System registry htmlfile\shell\open\command","","Scanned"
"System registry htafile\shell\open\command","","Scanned"
"System registry jpegfile\shell\open\command","","Scanned"
"System registry txtfile\shell\open\command","","Scanned"
"System registry regfile\shell\open\command","","Scanned"
"System registry cplfile\shell\cplopen\command","","Scanned"
"System registry Word.Document.8\shell\open\command","","Scanned"
"System registry WordPad.Document.1\shell\open\command","","Scanned"
"System registry inffile\shell\open\command","","Scanned"
"System registry vbsfile\shell\open\command","","Scanned"
"System registry vbefile\shell\open\command","","Scanned"
"C:\HP\KBD\KBD.EXE","- OK -","Quick checked"
"C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe","- OK -","Quick checked"
"C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe","- OK -","Quick checked"
"C:\Program Files\Internet Explorer\iexplore.exe","- OK -","Quick checked"
"C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe","- OK -","Quick checked"
"C:\Program Files\Macromedia\Fireworks MX\Fireworks.exe","- OK -","Quick checked"
"C:\Program Files\Microsoft Office\Office\WINWORD.EXE","- OK -","Quick checked"
"C:\WINDOWS\SMINST\Recguard.exe","- OK -","Quick checked"
"C:\WINDOWS\System32\hkcmd.exe","- OK -","Quick checked"
"C:\WINDOWS\System32\mshta.exe","- OK -","Quick checked"
"C:\WINDOWS\regedit.exe","- OK -","Quick checked"
"C:\WINDOWS\system32\ps2.EXE","- OK -","Quick checked"
"C:\WINDOWS\system32\rundll32.exe","- OK -","Quick checked"
"C:\WINDOWS\system32\shell32.dll","- OK -","Quick checked"
"C:\Windows\system32\HpSrvUI.exe","- OK -","Quick checked"
"c:\hp\drivers\scanners\ScannerFB.EXE","- OK -","Quick checked"
"c:\windows\system\hpsysdrv.exe","- OK -","Quick checked"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Panda ActiveScan :
*** Note this was halfway through when I idiotically clicked the "Get Disinfection Advice" button as it said it would open in a separate window. Of course, my Windows Security settings asked for confirmation, and I crashed the scan. It had found and disinfected 1 virus, and also noticed I think 3 Spywares. These may or may not have been retained for the log below. My guess is the Spyware is listed, but we've missed out on seeing what that first virus could have been.


Incident Status Location

Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/gator Not disinfected c:\windows\GatorPatch.log
Adware:adware/sqwire Not disinfected Windows Registry
Adware:adware/ucmore Not disinfected Windows Registry
Adware:adware/powerstrip Not disinfected Windows Registry
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Owner\Cookies\owner@statse.webtrendslive[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
Potentially unwanted tool:Application/HideWindow.A Not disinfected C:\hp\bin\FondleWindow.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\hp\bin\Terminator.exe
Hacktool:Exploit/iFrame Not disinfected Local Folders\Sent Items\Arly's\Fw: Document.write(bodytag)
Virus:W32/Klez.I Disinfected Local Folders\Sent Items\Arly's\Fw: Document.write(bodytag)\Pzfmp.bat
Virus:W32/Bagle.pwdzip Disinfected Local Folders\Sent Items\Arly's\Fw: Email account utilization warning.\Attach.zip
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

HiJack This log :

Logfile of HijackThis v1.99.1
Scan saved at 4:45:28 PM, on 2/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\fxssvc.exe
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\winhlp32.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://au4.hpwis.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O8 - Extra context menu item: &Define - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:30 PM

Posted 02 September 2006 - 07:45 PM

First let me say that I really appreciate the detailed responses. The info that you give makes it much easier for me to work through your problem. :thumbsup:

Now let's work through a few steps and we'll chip away at this.

First let's check and see if that Complete folder is there or not.
Open notepad and copy and paste this text in it:

cd\
cd C:\Documents and Settings\Owner
DIR  /o:d > log.txt
start log.txt
cls
exit
Save this as look.bat
Change the "Save As Type" to "All Files" and save it on your desktop.
Doubleclick look.bat and post the content of the txtfile you get in your next reply.



===============



Flush your system restore, this will delete any restore points that you have but it will also make sure that any malware hiding in system restore will be booted off.

Turn off System Restore:
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart your computer, turn it back on and create a restore point.

Create a restore point:
  • Click Start and point to All Programs.
  • Mouse over Accessories, then System Tools, and select System Restore.
  • In the System Restore wizard, select the box next the text labeled "Create a
    restore point" and click the Next button.
  • Type a description for your new restore point. Something like "After
    cleanup". Click Create and you're done.
============


Now let's clean up the actual malware that Panda found. Some of it is false positives and cookies.

Delete these files.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Ssk.log
c:\windows\GatorPatch.log


Now these lines show infected emails that need to be double deleted from your email program.

Hacktool:Exploit/iFrame Not disinfected Local Folders\Sent Items\Arly's\Fw: Document.write(bodytag)
Virus:W32/Klez.I Disinfected Local Folders\Sent Items\Arly's\Fw: Document.write(bodytag)\Pzfmp.bat
Virus:W32/Bagle.pwdzip Disinfected Local Folders\Sent Items\Arly's\Fw: Email account utilization warning.\Attach.zip


=============


Now let's just see where we stand with that Complete folder and we'll take it from there.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Egglestone

Egglestone
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 03 September 2006 - 12:46 AM

Hi, thanks yeah its good to find my Obsessive Compulsion is good for something! :thumbsup: I appreciate all your help, this forum is the best concept I've come across in quite some time!

The below consists of :
1. Purging System Restore.
2. Attending to what Panda found
3. The search for the {Complete} folder
4. New HJT log

~~~~~~~~~~~

Ok I flushed System Restore and set a new restore point.

~~~~~~~~~~~

I went looking for the Malware, of the two files, I only could locate the gator, and successfully removed it.
The SSK one doesn't show.

I have located two of the three eMails and deleted them. Could the first and second eMail be the same one?

~~~~~~~~~~~
Yay DOS batch files! My level of technical know-how! :flowers:

Volume in drive C is HP_PAVILION
Volume Serial Number is F4BD-7308

Directory of C:\Documents and Settings\Owner

21/02/2002 03:53 AM <DIR> WINDOWS
21/01/2003 06:40 AM <DIR> Mapedit
29/09/2003 07:56 AM 650 California.lnk
04/11/2003 07:55 PM <DIR> Start Menu
03/07/2005 08:13 PM <DIR> Incomplete
17/08/2006 10:20 PM <DIR> My Documents
03/09/2006 10:19 AM <DIR> Favorites
03/09/2006 10:47 AM <DIR> Desktop
03/09/2006 10:47 AM <DIR> ..
03/09/2006 10:47 AM <DIR> .
03/09/2006 10:47 AM 0 log.txt
2 File(s) 650 bytes
9 Dir(s) 5,396,049,920 bytes free

~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 3:42:09 PM, on 3/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\fxssvc.exe
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://au4.hpwis.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O8 - Extra context menu item: &Define - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:30 PM

Posted 03 September 2006 - 01:36 PM

I have located two of the three eMails and deleted them. Could the first and second eMail be the same one?

Yes, it certainly could have been.

From the log that you posted, it appears that the "Complete" folder has been deleted already. I do see a folder named "Incomplete" though. That is also from Limewire and could now be deleted. It may even be empty.


Your log looks pretty good! :thumbsup:

Please run a new scan with Ewido, this time from in normal mode, and post the resulting log in your next reply.
Let me know of any problems or issues that you are still having.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Egglestone

Egglestone
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 04 September 2006 - 06:01 PM

Cool bananas! Wonderful Ewido run as far as I can tell! Here we are :

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:38:07 PM 4/09/2006

+ Scan result:



C:\Documents and Settings\Owner\Cookies\owner@247realmedia[2].txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).


::Report end

~~~~~~~~~~~~

Ran an AVG too :

"Partition table (MBR)","- OK -","Quick checked"
"Boot sector of disk C:","- OK -","Quick checked"
"System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Load","","Scanned"
"System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Run","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\Run","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnce","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServices","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\Run","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnce","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServices","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce","","Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit","","Scanned"
"System registry SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell","","Scanned"
"System registry exefile\shell\open\command","","Scanned"
"System registry scrfile\shell\open\command","","Scanned"
"System registry scrfile\shell\config\command","","Scanned"
"System registry batfile\shell\open\command","","Scanned"
"System registry cmdfile\shell\open\command","","Scanned"
"System registry comfile\shell\open\command","","Scanned"
"System registry piffile\shell\open\command","","Scanned"
"System registry giffile\shell\open\command","","Scanned"
"System registry htmlfile\shell\open\command","","Scanned"
"System registry htafile\shell\open\command","","Scanned"
"System registry jpegfile\shell\open\command","","Scanned"
"System registry txtfile\shell\open\command","","Scanned"
"System registry regfile\shell\open\command","","Scanned"
"System registry cplfile\shell\cplopen\command","","Scanned"
"System registry Word.Document.8\shell\open\command","","Scanned"
"System registry WordPad.Document.1\shell\open\command","","Scanned"
"System registry inffile\shell\open\command","","Scanned"
"System registry vbsfile\shell\open\command","","Scanned"
"System registry vbefile\shell\open\command","","Scanned"
"C:\HP\KBD\KBD.EXE","- OK -","Quick checked"
"C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe","- OK -","Quick checked"
"C:\Program Files\IncrediMail\bin\IncMail.exe","- OK -","Quick checked"
"C:\Program Files\Internet Explorer\iexplore.exe","- OK -","Quick checked"
"C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe","- OK -","Quick checked"
"C:\Program Files\Macromedia\Fireworks MX\Fireworks.exe","- OK -","Quick checked"
"C:\Program Files\Microsoft Office\Office\WINWORD.EXE","- OK -","Quick checked"
"C:\WINDOWS\SMINST\Recguard.exe","- OK -","Quick checked"
"C:\WINDOWS\System32\hkcmd.exe","- OK -","Quick checked"
"C:\WINDOWS\System32\mshta.exe","- OK -","Quick checked"
"C:\WINDOWS\regedit.exe","- OK -","Quick checked"
"C:\WINDOWS\system32\ps2.EXE","- OK -","Quick checked"
"C:\WINDOWS\system32\rundll32.exe","- OK -","Quick checked"
"C:\WINDOWS\system32\shell32.dll","- OK -","Quick checked"
"C:\Windows\system32\HpSrvUI.exe","- OK -","Quick checked"
"c:\hp\drivers\scanners\ScannerFB.EXE","- OK -","Quick checked"
"c:\windows\system\hpsysdrv.exe","- OK -","Quick checked"
"C:\WINDOWS\system32\kernel32.dll","- OK -","Quick checked"
"C:\WINDOWS\system32\wsock32.dll","- OK -","Quick checked"
"C:\WINDOWS\system32\user32.dll","- OK -","Quick checked"
"C:\WINDOWS\system32\shell32.dll","- OK -","Quick checked"
"C:\WINDOWS\system32\ntoskrnl.exe","- OK -","Quick checked"
"C:\WINDOWS\system32\drivers\etc\hosts","- OK -","Quick checked"

~~~~~~~~~~~~~~

HiJackThis log :

Logfile of HijackThis v1.99.1
Scan saved at 7:32:56 AM, on 5/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\fxssvc.exe
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://au4.hpwis.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O8 - Extra context menu item: &Define - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

~~~~~~~~~~~~~~~~~~~~~~

When I left for work this morning, I had an AdAware SE running. Missus will send through the results when she's up later, are you interested in seeing it? I was thinking of running a SpyBot, and a Housecall after that. Is it worth it?

~~~~~~~~~~~~~~~~~~~~~~

With both Ewido and AVG checking everything I do on my PC, it runs VERY slowly. Is there anything I can do about that? Same thing used to happen ages ago when I had Norton installed, and I assumed from all the trashtalking of Norton that it was just local to that application. But maybe these things in general just use up that much memory!

Thanks again for all the help thus far! You're a fantastic help! :thumbsup:

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:30 PM

Posted 04 September 2006 - 06:37 PM

Your logs are all coming up clean. The cookies in the Ewido report aren't anything to be concerned about. I would recommend running both Adaware and Spybot, but I don't need to see the reports unless you run across something that they have trouble dealing with.

It never hurts to run another online virus scan too. Housecall is good and it sometimes picks up on things that Panda doesn't. There again, unless you run into something stubborn that won't go away I don't need to see that log.

Antivirus programs in general use quite a bit of your computer's resources. AVG is better than most. It's far better than Norton, which is probably the worst. You could disable Ewido's real time protection if you feel it's slowing your computer down a lot. I wouldn't recommend it, but if you take other precautions and run manual scans with Ewido, as well as Spybot and Adaware on a regular basis you should be ok.


Here are some suggestions for you to keep your computer running smoothly and securely.


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :flowers:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 Egglestone

Egglestone
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 05 September 2006 - 10:48 PM

You're an utter legend! AdAware's only nasties were cookies that I reckon all come from the MSN (reset) home page. I'll continue through the other tools bit by bit. Will sort out a balance between live checking and PC speed.

Again and again, thank you VERY much!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users