Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Is A Mess - Please Help!


  • This topic is locked This topic is locked
47 replies to this topic

#1 T-bone77

T-bone77

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:07:37 PM

Posted 01 September 2006 - 01:58 AM

Hi - my system has so many issues right now that it has taken me days to be able to even post this. Browser wouldn't start at all for awhile. Now I get a bunch of popups that tell me I'm infected. I also get a few messages at startup that some dll's are missing (no doubt related to some of my efforts to clean things up over the past couple weeks). Finally, after running for a short period of time, my system will barely respond to any commands even though the Idle Process seems to be taking most of the CPU time. Anyway, I ran as much anti-virus as my crippled system would allow (AdAware, Spybot, Ewido) and now would like some help based on my HJT log. Thanks in advance.

----------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:51:12 PM, on 8/31/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\Prodigy\PRODIG~1\app\pppoeservice.exe
C:\PROGRA~1\Prodigy\PRODIG~1\app\EnterNetDUN.Exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZONELABS\minilog.exe
C:\WINNT\system32\issearch.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\PROGRA~1\PRODINET\BIN\PIDUNHK.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PRODINET\BIN\piaxorb.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\Duce6.exe
C:\kybrdff_15.exe
C:\WINNT\ms04911272403.exe
C:\WINNT\sys02039112724.exe
C:\WINNT\ms05112724039.exe
C:\WINNT\sys09240391127.exe
C:\WINNT\sys01403911272.exe
C:\WINNT\gmvylezA.exe
C:\dfndrff_15.exe
C:\winnt\system32\stonedrv.exe
C:\winnt\system32\rlvknlg.exe
C:\Program Files\Common Files\{0E5413D7-0353-1033-0409-010103200001}\Update.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\PSLister\PSLister.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINNT\system32\issearch.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*oracle.com;<local>
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe,rpxwrhv.exe
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINNT\System32\opnmk.dll
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINNT\system32\ixt0.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ProfileCopier] "C:\Program Files\Profile Copier\ProfileCopier.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PiDunHk] "C:\PROGRA~1\PRODINET\BIN\PIDUNHK.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [loaddr] C:\dqrn.exe
O4 - HKLM\..\Run: [otk35967] RUNDLL32.EXE w2ca521c.dll,n 00335964000000112ca521c
O4 - HKLM\..\Run: [ntk35966] RUNDLL32.EXE w2cb29a7.dll,n 00335963000000022cb29a7
O4 - HKLM\..\Run: [ptk35968] RUNDLL32.EXE w2ca08ff.dll,n 00335965000000112ca08ff
O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\Duce6.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_15.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\dqrn.exe
O4 - HKLM\..\Run: [ms04911272403] C:\WINNT\ms04911272403.exe
O4 - HKLM\..\Run: [sys02039112724] C:\WINNT\sys02039112724.exe
O4 - HKLM\..\Run: [ms05112724039] C:\WINNT\ms05112724039.exe
O4 - HKLM\..\Run: [sys09240391127] C:\WINNT\sys09240391127.exe
O4 - HKLM\..\Run: [sys01403911272] C:\WINNT\sys01403911272.exe
O4 - HKLM\..\Run: [gmvylezA] C:\WINNT\gmvylezA.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_15.exe
O4 - HKLM\..\Run: [stonedrv] c:\winnt\system32\stonedrv.exe
O4 - HKLM\..\Run: [RelevantKnowledge] c:\winnt\system32\rlvknlg.exe -boot
O4 - HKLM\..\RunServices: [stonedrv] c:\winnt\system32\stonedrv.exe
O4 - HKCU\..\Run: [AboutTime Setup] regedit /s "C:\Program Files\AboutTime\setup.reg"
O4 - HKCU\..\Run: [AboutTime TimeServer] C:\Program Files\AboutTime\abouttime.exe
O4 - HKCU\..\Run: [Handy Backup 3.9] C:\Program Files\Novosoft\Handy Backup\hbagent.exe -logon
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [ntdll.dll] "C:\Program Files\PSLister\PSLister.exe"
O4 - HKCU\..\Run: [cprocsvc] C:\WINNT\system32\crunner\cproc.exe
O4 - HKCU\..\Run: [stonedrv] c:\winnt\system32\stonedrv.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://gsi.oraclecorp.com
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.ritzpix.com/upload/FujifilmUploadClient.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay103.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.oracle.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us.oracle.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = us.oracle.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us.oracle.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = us.oracle.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = us.oracle.com
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINNT\system32\xeymi.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: opnmk - C:\WINNT\SYSTEM32\opnmk.dll
O20 - Winlogon Notify: Shell Extensions - C:\WINNT\system32\mv26l9fs1.dll (file missing)
O20 - Winlogon Notify: vtspm - vtspm.dll (file missing)
O20 - Winlogon Notify: WebCheck - C:\WINNT\system32\dnnm0151e.dll (file missing)
O20 - Winlogon Notify: winiqr32 - C:\WINNT\SYSTEM32\winiqr32.dll
O20 - Winlogon Notify: winzlo32 - C:\WINNT\SYSTEM32\winzlo32.dll
O21 - SSODL: ntdll.dll - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: TrueVector Basic Logging Client (minilog) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\minilog.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\Prodigy\PRODIG~1\app\pppoeservice.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:37 AM

Posted 02 September 2006 - 03:32 PM

Umm....... EHm..... How did you even get your machine so infected :thumbsup:

Do you have another machine so you can get files transferred to this one? Or can you use your internet for file downloads? We'll need a lot of apps.

Lets start with this.....

Download Combofix to your desktop:
  • Double-click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply. :flowers:
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#3 T-bone77

T-bone77
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:07:37 PM

Posted 03 September 2006 - 02:57 AM

I have another system so I can get onto this system whatever applications I need if my internet is acting up too much. As for how we got our system so screwed up, I would say poor security, visiting questionable sites, and then letting things snowball instead of taking care of them for a couple years is probably a good start. Below find result from running Combofix.

-------------

lcliu - Sun 09/03/2006 0:36:32.36
ComboFix 06.08.30BT - Running from: C:\Documents and Settings\lcliu\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{EE41C34F-108B-4A32-8654-7E2B9C293A21}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EE41C34F-108B-4A32-8654-7E2B9C293A21}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EE41C34F-108B-4A32-8654-7E2B9C293A21}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EE41C34F-108B-4A32-8654-7E2B9C293A21}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{7D5B45E4-0D56-44BD-8C69-D4BDCF0F7781}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7D5B45E4-0D56-44BD-8C69-D4BDCF0F7781}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7D5B45E4-0D56-44BD-8C69-D4BDCF0F7781}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7D5B45E4-0D56-44BD-8C69-D4BDCF0F7781}\InprocServer32]
@="C:\\WINNT\\system32\\leghours.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Granting sedebugprivilege to Administrators ... successful


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\Duce6.exe
C:\dfndrff_11a.exe
C:\dfndrff_15.exe
C:\dfndrff_14.exe
C:\kybrdff_15.exe
C:\kybrdff_11a.exe
C:\kybrdff_14.exe
C:\nwnmff_11.exe
C:\Documents and Settings\lcliu\Local Settings\Temporary Internet Files\Content.IE5\25O727EV\dfndrff_15[1].exe
C:\Documents and Settings\lcliu\Local Settings\Temporary Internet Files\Content.IE5\RP809N7T\kybrdff_15[1].exe
C:\WINNT\system32\aaa00000.dll
C:\WINNT\system32\aaa00000.sys
C:\WINNT\system32\issearch.exe
C:\WINNT\system32\tsuninst.exe
C:\deskbar.exe
C:\WINNT\csvhost.exe
C:\WINNT\elpp100drop.exe
C:\WINNT\justin.exe
C:\WINNT\ssqbn.exe
C:\WINNT\uninst104.exe
C:\WINNT\system32\ixt0.dll
C:\WINNT\system32\ixt5.dll
C:\WINNT\system32\ixt1.dll
C:\WINNT\system32\ixt2.dll
C:\WINNT\system32\ixt4.dll
C:\WINNT\system32\ixt3.dll
C:\Documents and Settings\Default User\Application Data\NetMon
C:\Program Files\elticons
C:\WINNT\system32\components
C:\Program Files\Common Files\{0E5413D7-02BD-1033-0409-010103200001}
C:\Program Files\Deskbar
C:\Program Files\PSLister
C:\Program Files\Common Files\{0E5413D7-0353-1033-0409-010103200001}


((((((((((((((((((((((((((((((( Files Created from 2006-08-03 to 2006-09-03 ))))))))))))))))))))))))))))))))))


2006-09-02 22:59 699,232 ---hs---- C:\WINNT\system32\ccccf.bak1
2006-09-02 22:59 692,276 ---hs---- C:\WINNT\system32\fcccc.dll
2006-09-02 22:57 251,262 --a------ C:\deskbar3.exe
2006-09-02 22:57 2,048 --a------ C:\WINNT\system32\dxvwhwhq.exe
2006-08-31 22:49 251,262 --a------ C:\deskbar2.exe
2006-08-31 22:48 126,976 --a------ C:\WINNT\system32\ieserv.exe
2006-08-30 22:09 25,105 --a------ C:\WINNT\idlemg.exe
2006-08-30 22:08 138 --a------ C:\WINNT\file.bat
2006-08-29 20:56 138,240 --a------ C:\WINNT\ms051127240392006.exe
2006-08-29 20:53 2,560 --a------ C:\WINNT\ac3_0002.exe
2006-08-21 15:41 159,744 --a------ C:\WINNT\tapeG22.exe
2006-08-21 13:48 53,248 --a------ C:\WINNT\uni_ehhhh.exe
2006-08-20 11:32 8,464 --a------ C:\WINNT\system32\sporder.dll
2006-08-20 11:13 186,219 --a------ C:\WINNT\srvvrcwizv.exe
2006-08-20 11:12 1,004,816 -r-hs---- C:\WINNT\gmvylezA.exe
2006-08-20 11:11 186,219 --a------ C:\WINNT\srvtubozzm.exe
2006-08-20 11:09 40,973 ---hs---- C:\WINNT\system32\ssqpqqq.dll
2006-08-20 11:07 15,872 --a------ C:\WINNT\system32\winiqr32.dll
2006-08-20 11:04 15,872 --a------ C:\WINNT\system32\winzlo32.dll
2006-08-20 10:59 214,752 --a------ C:\Setup100.exe
2006-08-20 10:58 186,223 --a------ C:\WINNT\srvahzjrxk.exe
2006-08-20 10:57 303,728 -r-hs---- C:\WINNT\gmvylez.exe
2006-08-20 10:46 39,437 --------- C:\WINNT\system32\opnmk.dll
2006-08-20 01:11 155,648 --a------ C:\WINNT\ms04911272403.exe
2006-08-19 00:06 61,952 --a------ C:\WINNT\system32\ptk35968.dll
2006-08-19 00:06 61,952 --a------ C:\WINNT\system32\ntk35966.dll
2006-08-19 00:06 1,167 --a------ C:\WINNT\system32\ptk35968.sys
2006-08-19 00:06 1,167 --a------ C:\WINNT\system32\ntk35966.sys
2006-08-18 23:59 61,952 --a------ C:\WINNT\system32\otk35967.dll
2006-08-18 23:59 1,167 --a------ C:\WINNT\system32\otk35967.sys
2006-08-18 23:56 106,496 --a------ C:\WINNT\Duce6.exe
2006-08-18 23:54 215,308 --a------ C:\WINNT\Setup90.exe
2006-08-18 23:53 11,264 --a------ C:\qenc.exe
2006-08-18 23:52 115,160 --a------ C:\WINNT\Eim03.exe
2006-08-18 23:50 75,776 --a------ C:\idpcrxsr.exe
2006-08-18 23:50 73,728 --a------ C:\esfq.exe
2006-08-18 23:50 7,168 --a------ C:\36110103225.exe
2006-08-14 17:52 78,848 --a------ C:\WINNT\system32\nsp52.dll
2006-08-11 09:05 155,648 --a------ C:\WINNT\sys09240391127.exe
2006-08-11 09:05 155,648 --a------ C:\WINNT\sys02039112724.exe
2006-08-11 09:05 155,648 --a------ C:\WINNT\sys01403911272.exe
2006-08-11 09:05 155,648 --a------ C:\WINNT\ms05112724039.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-03 00:09 88280 --a------ C:\Documents and Settings\lcliu\Application Data\winantiviruspro2006freeinstall[1].exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"ProfileCopier"="\"C:\\Program Files\\Profile Copier\\ProfileCopier.exe\""
"AtiPTA"="atiptaxx.exe"
"WinampAgent"="\"C:\\Program Files\\Winamp3\\winampa.exe\""
"POINTER"="point32.exe"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"Sunkist2k"="C:\\Program Files\\Multimedia Card Reader\\shwicon2k.exe"
"PiDunHk"="\"C:\\PROGRA~1\\PRODINET\\BIN\\PIDUNHK.EXE\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"otk35967"="RUNDLL32.EXE w2ca521c.dll,n 00335964000000112ca521c"
"ntk35966"="RUNDLL32.EXE w2cb29a7.dll,n 00335963000000022cb29a7"
"ptk35968"="RUNDLL32.EXE w2ca08ff.dll,n 00335965000000112ca08ff"
"ms04911272403"="C:\\WINNT\\ms04911272403.exe"
"sys02039112724"="C:\\WINNT\\sys02039112724.exe"
"ms05112724039"="C:\\WINNT\\ms05112724039.exe"
"sys09240391127"="C:\\WINNT\\sys09240391127.exe"
"sys01403911272"="C:\\WINNT\\sys01403911272.exe"
"gmvylezA"="C:\\WINNT\\gmvylezA.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_01\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AboutTime Setup"="regedit /s \"C:\\Program Files\\AboutTime\\setup.reg\""
"AboutTime TimeServer"="C:\\Program Files\\AboutTime\\abouttime.exe"
"Handy Backup 3.9"="C:\\Program Files\\Novosoft\\Handy Backup\\hbagent.exe -logon"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet"
"ntdll.dll"="\"C:\\Program Files\\PSLister\\PSLister.exe\""
"cprocsvc"="C:\\WINNT\\system32\\crunner\\cproc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\AutorunsDisabled]
"ishost.exe"="ishost.exe"
"issearch.exe"="issearch.exe"
"kernel32.dll"="C:\\WINNT\\system32\\isnotify.exe"
"ntdll.dll"="C:\\WINNT\\system32\\isnotify.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:95,00,00,00
"CDRAutoRun"=dword:00000000
"NoDriveAutoRun"=dword:00000000
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Outlook Express\\qukyxiq.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\ComPlus Applications\\nihovanyn.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="C:\\WINNT\\warnhp.html"
"SubscribedURL"=""
"FriendlyName"="Desktop Uninstall"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,e0,00,00,00,d6,00,00,00,ec,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,02,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\3]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,00,00,ee,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"=""

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"^SetupICWDesktop"=""

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcccc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtspm
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winiqr32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzlo32



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20060831-225705-491
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
backup-20060831-002220-306
O15 - Trusted Zone: *.elitemediagroup.net
backup-20060831-002220-911
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
backup-20060831-002220-131
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
backup-20060831-002220-214
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
backup-20060829-211851-999
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
backup-20060829-211849-759
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c1...all/xscan53.cab
backup-20060829-211849-218
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
backup-20060829-211849-485
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
backup-20060829-211849-580
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
backup-20060829-211849-835
O15 - Trusted Zone: *.elitemediagroup.net
backup-20060829-211849-865
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
backup-20060829-211849-655
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
backup-20060829-211849-684
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
backup-20060821-011353-493
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
backup-20060821-011353-361
O15 - Trusted Zone: *.elitemediagroup.net
backup-20060819-224259-920
O15 - Trusted Zone: *.elitemediagroup.net
backup-20060819-224259-187
O15 - Trusted Zone: *.media-motor.net
backup-20060819-224259-419
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
backup-20060819-224259-639
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
backup-20060819-224258-323
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
backup-20060819-224259-814
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
backup-20060411-013111-536
O14 - IERESET.INF: START_PAGE_URL=http://www.prodigy.net
backup-20060411-013111-969
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
backup-20060411-013111-880
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
backup-20050416-220414-887
O17 - HKLM\System\CS2\Services\Tcpip\..\{2C9510CF-47B4-4181-BD14-511BA0E51EB6}: NameServer = 69.50.188.180,195.225.176.37
backup-20050416-220414-971
O17 - HKLM\System\CCS\Services\Tcpip\..\{38C1591B-3A29-4262-8909-FCF816CC33B0}: NameServer = 69.50.188.180,195.225.176.37
backup-20050416-220414-242
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C9510CF-47B4-4181-BD14-511BA0E51EB6}: NameServer = 69.50.188.180,195.225.176.37
backup-20050416-220414-270
O17 - HKLM\System\CS1\Services\Tcpip\..\{2C9510CF-47B4-4181-BD14-511BA0E51EB6}: NameServer = 69.50.188.180,195.225.176.37
backup-20050416-220414-319
O17 - HKLM\System\CCS\Services\Tcpip\..\{E70004F1-A267-422F-A6EB-5053B3B831EF}: NameServer = 69.50.188.180,195.225.176.37
backup-20050416-220414-547
O17 - HKLM\System\CCS\Services\Tcpip\..\{984752A2-4DE8-49C9-BD76-1462DFDE064C}: NameServer = 69.50.188.180,195.225.176.37
backup-20050416-220413-413
O16 - DPF: {4EE301F2-2A6A-4BE0-9FBD-97CDAA40E3E4} - http://i1img.com/images/nocache/copilot/i1...etup1.0.0.5.cab
backup-20050416-220413-894
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2B11982C-FF06-4841-864E-472522F00946} - (no file) (HKCU)
backup-20050416-220413-212
O9 - Extra button: Microsoft AntiSpyware helper - {2B11982C-FF06-4841-864E-472522F00946} - (no file) (HKCU)
backup-20050416-220413-793
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
backup-20050416-220413-798
O4 - HKCU\..\Run: [TRPT] teqq32.exe
backup-20050416-220413-381
O4 - HKCU\..\Run: [killall] teqq32.exe
backup-20050416-220413-182
O4 - HKLM\..\Run: [startman] browsebar.exe
backup-20050416-220413-915
O4 - HKLM\..\Run: [StatusCheck] uio.exe
backup-20050416-220413-359
O2 - BHO: Name - {84CDD4B8-8997-468D-BC8B-D1B4E318E616} - C:\WINNT\system32\mswoy.dll (file missing)
backup-20050416-220413-544
O2 - BHO: Name - {58ED7989-DE5F-439B-A7EC-E4329EB230EA} - C:\WINNT\system32\mswoy.dll (file missing)
backup-20050416-220413-269
O4 - HKCU\..\Run: [mozilla-text] xwiz.exe
backup-20050416-220413-832
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINNT\Downloaded Program Files\SbCIe027.dll
backup-20050416-220413-681
O2 - BHO: SideStep Browser Helper - {08351227-6472-43BD-8A40-D9221FF1C4CE} - C:\WINNT\Downloaded Program Files\SbCIe027.dll
backup-20050416-220413-485
R3 - URLSearchHook: (no name) - {625CFAD5-0794-E27C-F418-06C6318018B8} - Trayz.dll (file missing)
backup-20050416-220413-149
O2 - BHO: Name - {09828905-0873-49B5-B204-7C7523B01B30} - C:\WINNT\system32\mswoy.dll (file missing)
backup-20050331-153310-693
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
backup-20050331-153310-960
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
backup-20050331-153310-827
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
backup-20050331-153310-870
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
backup-20050331-153310-661
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
backup-20050331-153310-333
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
backup-20050331-153310-508
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://targetclicks.net/srch.php?qq=%s
backup-20050331-153310-575
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
backup-20050331-153310-781
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
backup-20050331-153310-159
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
backup-20050331-153310-821
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
backup-20050320-222827-935
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
backup-20050320-222827-270
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

Completion time: Sun 2006-09-03 0:41:46.58
ComboFix.txt

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:37 AM

Posted 03 September 2006 - 03:37 AM

I think we'll continue with this before any massive cleaning instructions. THAT will be our next stop. :thumbsup:

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

----

Also post the following:
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on the button "Save list"
  • Copy and paste the List from the notebook onto your post along with the contents of the C:\vundofix.txt aswell as a fresh HijackThis log. This might take more than one reply to get all the logs posted..

Hi there, stranger!

#5 T-bone77

T-bone77
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:07:37 PM

Posted 03 September 2006 - 12:34 PM

Vundo Fix log below. I will post my HJT logs next.
---------------------------------------------------------
VundoFix V6.1.2

Checking Java version...

Java version is 1.4.2.1

Scan started at 9:15:07 AM 9/3/2006

Listing files found while scanning....

C:\WINNT\system32\opnmk.dll
C:\WINNT\system32\ssqpqqq.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\opnmk.dll
C:\WINNT\system32\opnmk.dll Has been deleted!

Attempting to delete C:\WINNT\system32\ssqpqqq.dll
C:\WINNT\system32\ssqpqqq.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.1.2

Checking Java version...

Java version is 1.4.2.1

Scan started at 9:46:10 AM 9/3/2006

Listing files found while scanning....

No infected files were found.

-------------------------------------------------------------------------

#6 T-bone77

T-bone77
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:07:37 PM

Posted 03 September 2006 - 03:53 PM

Latest HJT log below. Note that it is finishing with an error: "HijackThis.exe has generated errors and will be closed by Windows. You will need to restart the program. An error log is being created."

Also, I have been unable to perform a save on the Uninstall Manager output from HJT. When I try to do so, the program just terminates but I don't think the output is going anywhere. I will keep trying - otherwise maybe I will hand type or screenshot the results???

-------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 13:44, on 9/3/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\Prodigy\PRODIG~1\app\pppoeservice.exe
C:\PROGRA~1\Prodigy\PRODIG~1\app\EnterNetDUN.Exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZONELABS\minilog.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\PROGRA~1\PRODINET\BIN\PIDUNHK.EXE
C:\PROGRA~1\PRODINET\BIN\piaxorb.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\ms04911272403.exe
C:\WINNT\sys02039112724.exe
C:\WINNT\ms05112724039.exe
C:\WINNT\sys09240391127.exe
C:\WINNT\sys01403911272.exe
C:\WINNT\gmvylezA.exe
C:\WINNT\Duce6.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*oracle.com;<local>
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
F2 - REG:system.ini: UserInit=userinit.exe,rpxwrhv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ProfileCopier] "C:\Program Files\Profile Copier\ProfileCopier.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PiDunHk] "C:\PROGRA~1\PRODINET\BIN\PIDUNHK.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [otk35967] RUNDLL32.EXE w2ca521c.dll,n 00335964000000112ca521c
O4 - HKLM\..\Run: [ntk35966] RUNDLL32.EXE w2cb29a7.dll,n 00335963000000022cb29a7
O4 - HKLM\..\Run: [ptk35968] RUNDLL32.EXE w2ca08ff.dll,n 00335965000000112ca08ff
O4 - HKLM\..\Run: [ms04911272403] C:\WINNT\ms04911272403.exe
O4 - HKLM\..\Run: [sys02039112724] C:\WINNT\sys02039112724.exe
O4 - HKLM\..\Run: [ms05112724039] C:\WINNT\ms05112724039.exe
O4 - HKLM\..\Run: [sys09240391127] C:\WINNT\sys09240391127.exe
O4 - HKLM\..\Run: [sys01403911272] C:\WINNT\sys01403911272.exe
O4 - HKLM\..\Run: [gmvylezA] C:\WINNT\gmvylezA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\Duce6.exe
O4 - HKCU\..\Run: [AboutTime Setup] regedit /s "C:\Program Files\AboutTime\setup.reg"
O4 - HKCU\..\Run: [AboutTime TimeServer] C:\Program Files\AboutTime\abouttime.exe
O4 - HKCU\..\Run: [Handy Backup 3.9] C:\Program Files\Novosoft\Handy Backup\hbagent.exe -logon
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [ntdll.dll] "C:\Program Files\PSLister\PSLister.exe"
O4 - HKCU\..\Run: [cprocsvc] C:\WINNT\system32\crunner\cproc.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://gsi.oraclecorp.com
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.ritzpix.com/upload/FujifilmUploadClient.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay103.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.oracle.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us.oracle.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = us.oracle.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us.oracle.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = us.oracle.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = us.oracle.com
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINNT\system32\xeymi.dll
O21 - SSODL: ntdll.dll - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: TrueVector Basic Logging Client (minilog) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\minilog.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\Prodigy\PRODIG~1\app\pppoeservice.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe

#7 T-bone77

T-bone77
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:07:37 PM

Posted 04 September 2006 - 12:56 AM

Ok, I finally have the results from my HJT "Uninstall Manager". I had to handtype these out since even my HJT isn't quite working properly but hopefully this gets you what you were looking for.

------------------------------------------------------------------------

2000 TurboTax Deluxe
2001 TurboTax Deluxe
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Illustrator 9.0
Adobe Photoshop 6.0
AOL Instant Messenger
ATI Display Driver Utilities
CleanUp!
Command Prompt Here PowerToy
DAO 3.5
Dimage V Utility
DirectX 8.1 Hotfix - KB839643
DriverGuide Toolkit
EPSON Printer Software
EPSON Status Monitor 2
ewido anti-spyware 4.0
Generic Multimedia Card Reader
Google Toolbar for Internet Explorer
HijackThis 1.99.1
ItsDeductible
ItsDeductible Express
ItsDeductible7
Java 2 Runtime Environment, SE v1.4_2.01
LiveUpdate 1.7 (Symantec Corporation)
Macromedia Contribute
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Fireworks MX
Microsoft Broadband Networking
Microsoft Data Access Components KB870669
Microsoft Office 2000 Premium
Microsoft VGX Q833989
MSN Money Investment Toolbox
NetSwitcher for Windows
Oak SimpliCD
Oak SimpliCD ReWrite
Outlook Express Q823353
Palm Desktop and Synchronization Software
Panda ActiveScan
Prodigy DSL
Prodigy Internet v5.5
Profile Copier 2.03
Quicken 2003 Premier
Quicklinks
QuickTime
RealOne Player
SafeCast Shared Components
SimCity 4
SmartFTP
Spybot - Search & Destroy 1.3
Spyware Doctor 3.8
SpywareBlaster v3.3
SpywareGuard v2.2
Symantec AntiVirus Client
Tarantella Native Client
TightVNC 1.2.7
TurboTax ItsDeductible 2004
TurboTax ItsDeductible 2005
TurboTax Premier 2002
TurboTax Premier 2003
TurboTax Premier 2004
TurboTax Premier 2005
Tweak UI
Viewpoint Manager (Remove Only)
viewpoint Media Player
WexTech AnswerWorks
Windows 2000 Hotfix - KB823182
Windows 2000 Hotfix - KB823559
Windows 2000 Hotfix - KB824105
Windows 2000 Hotfix - KB824141
Windows 2000 Hotfix - KB824146
Windows 2000 Hotfix - KB825119
Windows 2000 Hotfix - KB826232
Windows 2000 Hotfix - KB828035
Windows 2000 Hotfix - KB828741
Windows 2000 Hotfix - KB828749
Windows 2000 Hotfix - KB835732
Windows 2000 Hotfix - KB837001
Windows 2000 Hotfix - KB839645
Windows 2000 Hotfix - KB840315
Windows 2000 Hotfix - KB840987
Windows 2000 Hotfix - KB841356
Windows 2000 Hotfix - KB841533
Windows 2000 Hotfix - KB841872
Windows 2000 Hotfix - KB841873
Windows 2000 Hotfix - KB842526
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB871250
Windows 2000 Hotfix - KB873333
Windows 2000 Hotfix - KB873339
Windows 2000 Hotfix - KB885250
Windows 2000 Hotfix - KB885835
Windows 2000 Hotfix - KB885836
Windows 2000 Hotfix - KB888113
Windows 2000 Hotfix - KB890175
Windows 2000 Hotfix - KB890859
Windows 2000 Hotfix - KB890923
Windows 2000 Hotfix - KB891781
Windows 2000 Hotfix - KB893066
Windows 2000 Hotfix - KB893086
Windows Installer 3.1 (KB893803)
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player Hotfix [See wm828026 for more information]
Windows Media Player system update (9 series)
WinMX
WinZip
WinZip Command Line Support Add-On
Yahoo! Messenger
ZoneAlarm Pro

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:37 AM

Posted 04 September 2006 - 03:55 AM

Lets continue. :thumbsup:

Please print these instructions out, or write them down, as you can't read them during the fix.

Please disable Spywareguard.
Double-click the red SG icon in your system tray.
Click "Options".
Under General, uncheck all 3 options, then click "Save Settings"
Close Spywareguard.
We will enable it once your system is clean.

You seem to have an old version of SpywareBlaster. Launch the current version, choose "Disable All Protection". Next, go to Add/Remove programs and uninstall SpywareBlaster 3.3. Reboot if necessary, remember to delete the folder aswell.

Download and install the latest version here:

http://www.javacoolsoftware.com/spywareblaster.html

Launch it once installed, make sure to update and then click "Enable all protection". Close SpywareBlaster.

Then also uninstall these from the Add/Remove programs list:

Viewpoint Manager (Remove Only)
viewpoint Media Player


---

Then we'll need to update your java in the hopes that Vundo won't reinfect you for a while...

Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Software icon > Add/Remove Programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
    Downloaded Applications
    Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.
----

Run Ewido Anti-Spyware:
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    • If you aren't able to finish the update within Ewido for a reason or another, you can install the manual updates here.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-select "Only if threats were found"
Close Ewido Anti-spyware, DO NOT run a scan just yet, we will shortly.

----

Please download Brute Force Uninstaller to your desktop.
  • Right-click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

----

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by double-clicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let it do its job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the Complete script execution box to pop up and hit OK.
  • Press Exit to terminate the BFU program.
----
  • IMPORTANT: Do not open any other windows or programs while Ewido is scanning, it may interfere with the scanning process:
  • Lauch Ewido Anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • Ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • ]Reboot into normal Windows and post the contents of Ewido log that you saved along with a fresh HiJackThis log. :flowers:

Hi there, stranger!

#9 T-bone77

T-bone77
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:07:37 PM

Posted 05 September 2006 - 02:44 AM

Ok, all steps completed. Please note: ewido was not run in Safe Mode since it only works in regular mode. I'm not sure why as I tried uninstalling and reinstalling but to no avail. Also note the HJT is giving me an error and terminating itself but since I get the logfile created, I think I'm getting the desired info (this is just as before). Anyway, the system is already performing much better thanks to your help thus far. Here are the logs/reports:
------------------------------------------------------------------------------------------------------------------------

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 00:33 9/5/2006

+ Scan result:



C:\WINNT\em.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Interface\{B4B66483-E499-485E-B77B-000D31C1656F} -> Adware.RegiFast : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000} -> Adware.RegiFast : Cleaned with backup (quarantined).
C:\WINNT\system32\rk.bin -> Adware.RK : Cleaned with backup (quarantined).
C:\VundoFix Backups\opnmk.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\ssqpqqq.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINNT\system32\ntk35966.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\otk35967.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\ptk35968.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\bintheredunthat\ms04911272403.exe -> Downloader.VB.akq : Cleaned with backup (quarantined).
C:\bintheredunthat\ms05112724039.exe -> Downloader.VB.tw : Cleaned with backup (quarantined).
C:\bintheredunthat\sys01403911272.exe -> Downloader.VB.tw : Cleaned with backup (quarantined).
C:\bintheredunthat\sys02039112724.exe -> Downloader.VB.tw : Cleaned with backup (quarantined).
C:\bintheredunthat\sys09240391127.exe -> Downloader.VB.tw : Cleaned with backup (quarantined).
C:\Program Files\ComPlus Applications\nihovanyn.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Documents and Settings\lcliu\Cookies\lcliu@admarketplace[1].txt -> TrackingCookie.Admarketplace : Cleaned with backup (quarantined).
C:\Documents and Settings\lcliu\Cookies\lcliu@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\lcliu\Cookies\lcliu@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\Documents and Settings\lcliu\Cookies\lcliu@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\WINNT\system32\ib14.dll -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll -> Trojan.Sinowal.aq : Cleaned with backup (quarantined).
C:\WINNT\uni_ehhhh.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).


::Report end

------------------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 00:35, on 9/5/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\Prodigy\PRODIG~1\app\pppoeservice.exe
C:\PROGRA~1\Prodigy\PRODIG~1\app\EnterNetDUN.Exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZONELABS\minilog.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\PROGRA~1\PRODINET\BIN\PIDUNHK.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PRODINET\BIN\piaxorb.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
C:\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*oracle.com;<local>
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe
F2 - REG:system.ini: UserInit=userinit.exe,rpxwrhv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ProfileCopier] "C:\Program Files\Profile Copier\ProfileCopier.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PiDunHk] "C:\PROGRA~1\PRODINET\BIN\PIDUNHK.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [otk35967] RUNDLL32.EXE w2ca521c.dll,n 00335964000000112ca521c
O4 - HKLM\..\Run: [ntk35966] RUNDLL32.EXE w2cb29a7.dll,n 00335963000000022cb29a7
O4 - HKLM\..\Run: [ptk35968] RUNDLL32.EXE w2ca08ff.dll,n 00335965000000112ca08ff
O4 - HKLM\..\Run: [ms04911272403] C:\WINNT\ms04911272403.exe
O4 - HKLM\..\Run: [sys02039112724] C:\WINNT\sys02039112724.exe
O4 - HKLM\..\Run: [ms05112724039] C:\WINNT\ms05112724039.exe
O4 - HKLM\..\Run: [sys09240391127] C:\WINNT\sys09240391127.exe
O4 - HKLM\..\Run: [sys01403911272] C:\WINNT\sys01403911272.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [AboutTime Setup] regedit /s "C:\Program Files\AboutTime\setup.reg"
O4 - HKCU\..\Run: [AboutTime TimeServer] C:\Program Files\AboutTime\abouttime.exe
O4 - HKCU\..\Run: [Handy Backup 3.9] C:\Program Files\Novosoft\Handy Backup\hbagent.exe -logon
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [ntdll.dll] "C:\Program Files\PSLister\PSLister.exe"
O4 - HKCU\..\Run: [cprocsvc] C:\WINNT\system32\crunner\cproc.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://gsi.oraclecorp.com
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.ritzpix.com/upload/FujifilmUploadClient.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay103.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.oracle.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us.oracle.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = us.oracle.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us.oracle.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = us.oracle.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = us.oracle.com
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - (no file)
O21 - SSODL: ntdll.dll - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: TrueVector Basic Logging Client (minilog) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\minilog.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\Prodigy\PRODIG~1\app\pppoeservice.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe

#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:37 AM

Posted 05 September 2006 - 03:22 AM

Looking better step by step.. :thumbsup: But we still have a lot of cleaning to do.

Please uninstall your SpywareGuard completely as it doesn't seem to disable its protection.... As it might be interfering with the fixing process and well, there are much better programs out there, SpywareGuard hasn't been updated for a long time.

Go ahead and uninstall Ewido and delete ComboFix/BFU/alcanshorty.bfu if you wish.

Please download Qoofix © RubbeR DuckY:
  • Unzip all files to a convenient location such as C:\Qoofix.
  • Go to the folder you unzipped all files and double-click Qoofix.exe.
  • Click Begin Removal and wait for the scan to finish.
  • If an infection has been found, select yes to restart your computer.
  • Post the contents of the Qoofix logfile on your next reply....

    Note: If you have problems with the Qoofix logfile, open it manually from its own folder -> C:\Qoofix.
---

Please download Dr.Web CureIt to the desktop:
  • Double-click the drweb-cureit.exe file and allow to run the Express scan.
  • This will scan the files currently running in memory and when something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • Post the contents of the log from Dr.Web you saved previously in your next reply aswell....
-----

Please download SmitfraudFix © S!Ri
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply along with the contents of the QooFix logfile aswell as the DrWeb results from the DrWeb.csv file. :flowers:

Please post multiple replies again to make sure you get it all fit in; maybe post the qoofix & smitfraudfix raports in their own post and then the drweb one.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
Hi there, stranger!

#11 T-bone77

T-bone77
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:07:37 PM

Posted 05 September 2006 - 10:33 PM

All 3 logs included below:

-----------------------------------------------------------------------------------------------------------------------------

Qoofix v1.03 by http://www.malwarebytes.org
Scan started on [9/5/2006] at [1:52:58 AM]
-------------------------------------------------------------
No malicious modules found!
-------------------------------------------------------------
No Qoologic infected files found!
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [9/5/2006] at [1:54:45 AM]

Note: Some registry keys may have been removed.


-----------------------------------------------------------------------------------------------------------------------------

SmitFraudFix v2.83

Scan done at 18:25:44.44, Tue 09/05/2006
Run from C:\Documents and Settings\lcliu\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix ran in normal mode

C:\


C:\WINNT


C:\WINNT\system


C:\WINNT\Web


C:\WINNT\system32


C:\Documents and Settings\lcliu\Application Data


Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

C:\DOCUME~1\lcliu\FAVORI~1


Desktop

C:\DOCUME~1\ALLUSE~1\DESKTOP\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\DESKTOP\Security Troubleshooting.url FOUND !

C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

Scanning wininet.dll infection


End

SmitFraudFix v2.83

Scan done at 18:25:44.44, Tue 09/05/2006
Run from C:\Documents and Settings\lcliu\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix ran in normal mode

C:\


C:\WINNT


C:\WINNT\system


C:\WINNT\Web


C:\WINNT\system32


C:\Documents and Settings\lcliu\Application Data


Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

C:\DOCUME~1\lcliu\FAVORI~1


Desktop

C:\DOCUME~1\ALLUSE~1\DESKTOP\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\DESKTOP\Security Troubleshooting.url FOUND !

C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

Scanning wininet.dll infection


End

SmitFraudFix v2.83

Scan done at 18:25:44.44, Tue 09/05/2006
Run from C:\Documents and Settings\lcliu\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix ran in normal mode

C:\


C:\WINNT


C:\WINNT\system


C:\WINNT\Web


C:\WINNT\system32


C:\Documents and Settings\lcliu\Application Data


Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

C:\DOCUME~1\lcliu\FAVORI~1


Desktop

C:\DOCUME~1\ALLUSE~1\DESKTOP\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\DESKTOP\Security Troubleshooting.url FOUND !

C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

Scanning wininet.dll infection


End


-----------------------------------------------------------------------------------------------------------------------------


ProfileCopier.exe;C:\Program Files\Profile Copier;Trojan.PWS.TOnline;Deleted.;
fcccc.dll;C:\WINNT\system32;Trojan.Virtumod;Will be cured after reboot.;
fcccc.dll;C:\WINNT\system32;Trojan.Virtumod;Will be cured after reboot.;
Setup Oracle Email.exe;C:\Documents and Settings\All Users\Desktop;Trojan.PWS.TOnline;Deleted.;
Activate SEbackUp.exe;C:\Documents and Settings\All Users\Desktop;Trojan.PWS.TOnline;Deleted.;
Application Installer.exe;C:\Documents and Settings\All Users\Start Menu\Programs\Application & Printer Installer;Trojan.PWS.TOnline;Deleted.;
Printer Installer.exe;C:\Documents and Settings\All Users\Start Menu\Programs\Application & Printer Installer;Trojan.PWS.TOnline;Deleted.;
Process.exe;C:\Documents and Settings\lcliu\My Documents\T's Stuff\smitRem;Tool.Prockill;Incurable.Moved.;
Process.exe;C:\Documents and Settings\lcliu\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\lcliu\Desktop\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
pskill.exe;C:\Program Files\Profile Copier;Tool.Prockill;Incurable.Moved.;
VNCHooks.dll;C:\Program Files\TightVNC;Program.RemoteAdmin;Incurable.Moved.;
vncviewer.exe;C:\Program Files\TightVNC;Program.RemoteAdmin;Incurable.Moved.;

#12 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:37 AM

Posted 06 September 2006 - 01:13 AM

Go ahead and delete QooFix along with DrWeb..

Please print these instructions out, or write them down, as you can't read them during the fix.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode
5) Choose your usual account.


Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a fresh HijackThis log. :thumbsup:
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
Hi there, stranger!

#13 T-bone77

T-bone77
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:07:37 PM

Posted 06 September 2006 - 10:17 AM

New Smitfraud and HJT logs.

---------------------------------------------------------------------------------------------------------------------------

SmitFraudFix v2.41

Scan done at 1:42:51.09, Wed 05/31/2006
Run from C:\Documents and Settings\lcliu\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195]

C:\

C:\winstall.exe FOUND !

C:\WINNT

C:\WINNT\uninstDsk.exe FOUND !
C:\WINNT\warnhp.html FOUND !

C:\WINNT\system


C:\WINNT\Web


C:\WINNT\system32

C:\WINNT\system32\oleext.dll FOUND !

C:\Documents and Settings\lcliu\Application Data

C:\Documents and Settings\lcliu\Application Data\Install.dat FOUND !

Start Menu


C:\DOCUME~1\lcliu\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Scanning wininet.dll infection


End


---------------------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 08:12, on 9/6/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\Prodigy\PRODIG~1\app\pppoeservice.exe
C:\PROGRA~1\Prodigy\PRODIG~1\app\EnterNetDUN.Exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ZONELABS\minilog.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\PROGRA~1\PRODINET\BIN\PIDUNHK.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\PROGRA~1\PRODINET\BIN\piaxorb.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*oracle.com;<local>
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PiDunHk] "C:\PROGRA~1\PRODINET\BIN\PIDUNHK.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [otk35967] RUNDLL32.EXE w2ca521c.dll,n 00335964000000112ca521c
O4 - HKLM\..\Run: [ntk35966] RUNDLL32.EXE w2cb29a7.dll,n 00335963000000022cb29a7
O4 - HKLM\..\Run: [ptk35968] RUNDLL32.EXE w2ca08ff.dll,n 00335965000000112ca08ff
O4 - HKLM\..\Run: [ms04911272403] C:\WINNT\ms04911272403.exe
O4 - HKLM\..\Run: [sys02039112724] C:\WINNT\sys02039112724.exe
O4 - HKLM\..\Run: [ms05112724039] C:\WINNT\ms05112724039.exe
O4 - HKLM\..\Run: [sys09240391127] C:\WINNT\sys09240391127.exe
O4 - HKLM\..\Run: [sys01403911272] C:\WINNT\sys01403911272.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [AboutTime Setup] regedit /s "C:\Program Files\AboutTime\setup.reg"
O4 - HKCU\..\Run: [AboutTime TimeServer] C:\Program Files\AboutTime\abouttime.exe
O4 - HKCU\..\Run: [Handy Backup 3.9] C:\Program Files\Novosoft\Handy Backup\hbagent.exe -logon
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [ntdll.dll] "C:\Program Files\PSLister\PSLister.exe"
O4 - HKCU\..\Run: [cprocsvc] C:\WINNT\system32\crunner\cproc.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://gsi.oraclecorp.com
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.ritzpix.com/upload/FujifilmUploadClient.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay103.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.oracle.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us.oracle.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = us.oracle.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us.oracle.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = us.oracle.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = us.oracle.com
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - (no file)
O21 - SSODL: ntdll.dll - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Basic Logging Client (minilog) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\minilog.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\Prodigy\PRODIG~1\app\pppoeservice.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe

#14 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:37 AM

Posted 06 September 2006 - 10:55 AM

Thats not the correct smitfraudfix log...

And how did you change your SmitFraudFix to an older version?? :thumbsup:

Delete all your current SmitFraudFix files aswell as the rapports from C:\ drive. Then download the latest one here:

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Then please follow the instructions from my last post (go to the safe mode, use option 2 etc).

Then post the correct log with the info needed aswell as a fresh HijackThis log :flowers:
Hi there, stranger!

#15 T-bone77

T-bone77
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:07:37 PM

Posted 06 September 2006 - 11:43 PM

Oops, sorry 'bout that :thumbsup:

Try this log which was saved in a different directory than the one I posted which obviously was an old one. HJT log remains the same as my previous post.

-----------------------------------------------------------------------------------------------------------------------------

SmitFraudFix v2.83

Scan done at 7:47:19.53, Wed 09/06/2006
Run from C:\Documents and Settings\lcliu\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix ran in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\DOCUME~1\ALLUSE~1\DESKTOP\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\DESKTOP\Security Troubleshooting.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users