Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spy Sheriff Uninstalled, But Pop-ups Continue


  • Please log in to reply
11 replies to this topic

#1 sk8nob

sk8nob

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 03 September 2006 - 12:24 AM

Hello

I tried getting rid of this problem myself, but can't figure it out. Spybot says there are no infections, but Ad-Aware freezes once it reaches the software\microsoft\windows\currentversion\shellserviceobjectdelayload file. Whether or not this has anything to do with it, I have no idea. McAfee Stinger also produced no results. I did have the Spy Sheriff problem, but I uninstalled it 2 days ago and can't find any trail it left behind or cause for the problems. On my computer there are numerous pop-ups every few minutes, and sometimes my display gets screwed up, like my right-click function won't work or I get nothing but a black screen once I exit full-screen games (which forces me to restart). In my Add/Remove Programs there is nothing suspicious or anything I don't recognize, and for some reason my Adobe Reader stopped working. Hopefully with your help I can clear this up without having to reformat. Thanks in advance.

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\cgujobj.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\ms063604128007.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\wmv8dmod.exe
C:\WINDOWS\system32\crunner\cproc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Duce6.exe
C:\Documents and Settings\John\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\suflu.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,epmpfgb.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {41559444-8817-464D-87D1-9FA5D6C1D8D5} - C:\Program Files\Messenger\mexora.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsc12.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ms063604128007] C:\WINDOWS\ms063604128007.exe
O4 - HKLM\..\Run: [loaddr] C:\sakoahi.exe
O4 - HKLM\..\Run: [bkkcb056] RUNDLL32.EXE w385f648.dll,n 003cb05300000005385f648
O4 - HKLM\..\Run: [sys012800736041] C:\WINDOWS\sys012800736041.exe
O4 - HKLM\..\Run: [cgujobjA] C:\WINDOWS\cgujobjA.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\mwinkpex.exe GEN001
O4 - HKLM\..\Run: [{C5-5F-F8-84-ZN}] C:\windows\system32\ojdsregj.exe GEN001
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKCU\..\Run: [test] C:\WINDOWS\system32\test.exe
O4 - HKCU\..\Run: [wmv8dmod] C:\WINDOWS\system32\wmv8dmod.exe
O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: TA_Start.lnk = C:\TIGEN001.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\mwinkpex.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...99/mcinsctl.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm9obg\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: fdeploy.exe - Unknown owner - C:\WINDOWS\system32\fdeploy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\cgujobj.exe

BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:29 AM

Posted 03 September 2006 - 06:12 AM

Hi sk8nob, :thumbsup:

We're studying your log and will be back to you a.s.a.p.

Thanks for your patience.

#3 sk8nob

sk8nob
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 03 September 2006 - 03:03 PM

Thank you very much.

#4 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:29 AM

Posted 04 September 2006 - 05:56 AM

Hi sk8nob, :thumbsup:

Welcome to BleepingComputer Forums and thanks again for your patience.

Unfortunately the date of your HijackThis log misses but I assume it's from today, the day that you posted here. Can you confirm that please?

1. You are running HijackThis from your desktop. HJT creates backups and we want them safe and secure should they be required later. For that reason I recommend to remove HijackThis to its own location. Create a folder on your C: drive: click Start > My Computer, open/double-click your C:\ drive, select New, next Folder and call it C:\hijackthis. Drag HijackThis into that folder!

2. Spyware Doctor is active on your computer and that is good but it may interfere and/or actually obstruct HijackThis removal. So it has to be disabled first:

a. Open Spyware Doctor
b. Click on the 'Settings' button on the left hand panel
c. Then click on the 'Startup Settings' under 'Pick a Category'
d. Uncheck the box on the right that says 'Run at Windows Startup'

You may re-enable it once your clean; I will let you know!

3. Please download Qoofix by Rubber Ducky to your desktop.
  • Right click on the Qoofix folder, and choose "Extract All". Extract Qoofix to your C: drive
  • Close all windows and programs, including internet windows.
  • Go to C:\Qoofix and open the folder, then double click on Qoofix.exe
  • Click Begin Removal and wait for the scan to finish
  • If Qoofix finds an infection, select yes to restart your computer
  • You will now find a log from this tool, located at C:\Qoofix\Qoofix Logfile.txt Copy and paste the contents of that report into your next reply here.
Please post the C:\Qoofix\Qoofix Logfile.txt together with a fresh complete HijackThis log!

#5 sk8nob

sk8nob
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 04 September 2006 - 11:56 AM

Hello Falu,

Thanks for you help. I think I managed to fix the problem last night, I bombarded my system with Adaware, Spybot, and AVG over and over until they found something and had them remove it. Now the pop-ups have stopped and my computer seems to be running as it was before. Just to be safe I'll post a recent Hijack This log. Qoofix didn't find anything which is a good sign, and yes, the previous Hijack This log was from yesterday. Here's the one from today:

Logfile of HijackThis v1.99.1
Scan saved at 12:53:32 PM, on 9/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\windows\system32\ojdsregj.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\{4C4C5F84-0959-1033-0721-030217200001}\Update.exe
C:\WINDOWS\system32\wmv8dmod.exe
C:\WINDOWS\system32\crunner\cproc.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
C:\HIjackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsc12.dll
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [bkkcb056] RUNDLL32.EXE w385f648.dll,n 003cb05300000005385f648
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\mwinkpex.exe GEN001
O4 - HKLM\..\Run: [{C5-5F-F8-84-ZN}] C:\windows\system32\ojdsregj.exe GEN001
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [test] C:\WINDOWS\system32\test.exe
O4 - HKCU\..\Run: [wmv8dmod] C:\WINDOWS\system32\wmv8dmod.exe
O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe
O4 - Startup: TA_Start.lnk = C:\TIGEN001.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\mwinkpex.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...99/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: fdeploy.exe - Unknown owner - C:\WINDOWS\system32\fdeploy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

#6 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:29 AM

Posted 05 September 2006 - 05:11 AM

Hi sk8nob, :thumbsup:

Thanks for you help.


You're very welcome.

I think I managed to fix the problem last night,


To be clear, we're not ready yet.

1. Please download, install, and update Ewido anti-spyware
  • Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Close Ewido. Do not run it yet.
2. Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to, click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcan worm remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

4. Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 a few times before Windows loads. Select Safe Mode on the screen that appears.

5. Once in Safe Mode, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Next to the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
6. Ewido Scan
  • Then run Ewido and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Restart back into Normal Mode.
Please perform another scan with Hijack This, and then post the contents of the Ewido text report that you saved and a new HijackThis log.

#7 sk8nob

sk8nob
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 05 September 2006 - 02:47 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:44:06 PM, on 9/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\crunner\cproc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\HIjackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsc12.dll
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [bkkcb056] RUNDLL32.EXE w385f648.dll,n 003cb05300000005385f648
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\mwinkpex.exe GEN001
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [test] C:\WINDOWS\system32\test.exe
O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe
O4 - Startup: TA_Start.lnk = C:\TIGEN001.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\mwinkpex.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...99/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O21 - SSODL: hksrv.dll - {5243AEBB-0748-4146-A6DF-2AD83B045114} - hksrv.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: fdeploy.exe - Unknown owner - C:\WINDOWS\system32\fdeploy.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe


---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:41:03 PM 9/5/2006

+ Scan result:



C:\Program Files\Common Files\{4C4C5F84-0959-1033-0721-030217200001}\Update.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
C:\WINDOWS\aiblzuzv.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\utjtrdmz.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\em.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\WINDOWS\unstall.exe -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\WinNB58.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\WINDOWS\MirarSetup_876075.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\TIGEN001.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ojdsregj.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wmv8dmod.exe -> Backdoor.Small.ml : Cleaned with backup (quarantined).
C:\WINDOWS\system32\inst.exe -> Downloader.Agent.am : Cleaned with backup (quarantined).
C:\814.exe -> Downloader.Dyfuca.fb : Cleaned with backup (quarantined).
C:\WINDOWS\system32\fdeploy.exe -> Downloader.Reqlook.g : Cleaned with backup (quarantined).
C:\Program Files\Common Files\pogo.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Program Files\WindowsUpdate\medeci.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\WINDOWS\system32\hksrv.dll -> Logger.Mxsender.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\prsvc.exe -> Logger.Mxsender.f : Cleaned with backup (quarantined).
HKU\S-1-5-21-1123561945-602162358-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1E6CE4CD-161B-4847-B8BF-E2EF72299D69} -> Logger.Sters : Cleaned with backup (quarantined).
C:\Documents and Settings\John\Cookies\john@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\John\Cookies\john@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\John\Cookies\john@pch.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\John\Cookies\john@westerncreative.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.77:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.78:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.79:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\John\Cookies\john@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\John\Cookies\john@adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\John\Cookies\john@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\John\Cookies\john@admarketplace[2].txt -> TrackingCookie.Admarketplace : Cleaned.
:mozilla.461:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\John\Cookies\john@www.adtrak[2].txt -> TrackingCookie.Adtrak : Cleaned.
:mozilla.16:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.138:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\John\Cookies\john@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\John\Cookies\john@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\John\Cookies\john@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.415:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
C:\Documents and Settings\John\Cookies\john@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.92:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.94:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.95:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.96:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\John\Cookies\john@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.43:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.431:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\John\Cookies\john@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned.
:mozilla.209:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\John\Cookies\john@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.10:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\sxud2ljd.default\cookies.txt -> TrackingCookie.Findwhat : Cleaned.
:mozilla.204:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Findwhat : Cleaned.
:mozilla.432:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Goclick : Cleaned.
:mozilla.433:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Goclick : Cleaned.
:mozilla.8:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\sxud2ljd.default\cookies.txt -> TrackingCookie.Goclick : Cleaned.
:mozilla.9:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\sxud2ljd.default\cookies.txt -> TrackingCookie.Goclick : Cleaned.
C:\Documents and Settings\John\Cookies\john@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned.
:mozilla.502:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
C:\Documents and Settings\John\Cookies\john@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\John\Cookies\john@server.lon.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.15:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\John\Cookies\john@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\John\Cookies\john@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\John\Cookies\john@creative.paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned.
:mozilla.210:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.211:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.212:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.213:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\John\Cookies\john@popuptraffic[1].txt -> TrackingCookie.Popuptraffic : Cleaned.
:mozilla.53:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.57:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.58:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.59:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\John\Cookies\john@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.347:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\John\Cookies\john@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\John\Cookies\john@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned.
C:\Documents and Settings\John\Cookies\john@searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned.
C:\Documents and Settings\John\Cookies\john@www.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned.
:mozilla.106:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.107:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.108:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.109:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.110:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.111:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.161:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.162:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.163:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.164:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.165:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\John\Cookies\john@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\John\Cookies\john@h.starware[2].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\John\Cookies\john@try.starware[1].txt -> TrackingCookie.Starware : Cleaned.
:mozilla.80:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.81:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.82:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.83:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\John\Cookies\john@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\John\Cookies\john@anat.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\John\Cookies\john@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.137:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned.
C:\Documents and Settings\John\Cookies\john@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned.
C:\Documents and Settings\John\Cookies\john@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned.
:mozilla.383:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.384:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.385:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.386:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.387:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.388:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.389:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.62:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.63:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.64:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.65:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.66:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\John\Cookies\john@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\John\Cookies\john@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\John\Cookies\john@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.410:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.411:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.412:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\1uxl8f3a.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\John\Cookies\john@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\WINDOWS\hosts.sam -> Trojan.Qhost.hl : Cleaned with backup (quarantined).


::Report end


Once again, thanks for your help and attention.

#8 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:29 AM

Posted 07 September 2006 - 08:11 AM

Hi sk8nob, :thumbsup:

1. Download ATF Cleaner by Atribune. Do not run it yet.

2. Run HijackThis, click Scan and checkmark the following entries:

R3 - Default URLSearchHook is missing
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsc12.dll
O4 - HKLM\..\Run: [bkkcb056] RUNDLL32.EXE w385f648.dll,n 003cb05300000005385f648
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\mwinkpex.exe GEN001
O4 - HKCU\..\Run: [test] C:\WINDOWS\system32\test.exe
O4 - Startup: TA_Start.lnk = C:\TIGEN001.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\mwinkpex.ex
O21 - SSODL: hksrv.dll - {5243AEBB-0748-4146-A6DF-2AD83B045114} - hksrv.dll (file missing)
O23 - Service: fdeploy.exe - Unknown owner - C:\WINDOWS\system32\fdeploy.exe (file missing)


Do you know what this may refer to?

O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe


If not please follow these instructions to submit the folder:

Download Suspicious File Packer and extract the program to your desktop. Open the program and copy/paste the following folder. Afterward go to http://www.bleepingcomputer.com/submit-malware.php?channel=7 and submit the folder. The folder to be submitted:

C:\WINDOWS\system32\crunner\*.*

Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

3. Go to Start->Run, type CMD and click Ok.

Alternatively, Press Ctrl+Alt+Delete to bring the Task Manager. While holding down the Ctrl key, click on New Task. Once the MSDOS Window comes up, minimize the Task Manager.
At the prompt type the following and press Enter after each line:

SC Stop fdeploy.exe
SC Delete fdeploy.exe
Exit

4. Make sure you can view all files. Click Start >My Computer > Tools > Folder Options >View. Check "Show hidden files and folders", uncheck "Hide protected operating system files" and "Hide extensions for known file types". Click "Apply to all folders" >Apply then OK.

5. Reboot and as the computer starts up, just before Windows starts to load, tap the F8 key a few times and then choose Safe Mode from the menu that will appear.

6. Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete the following files in bold if listed:

C:\WINDOWS\system32\nsc12.dll
C:\WINDOWS\system32\w385f648.dll
C:\WINDOWS\system32\mwinkpex.exe
C:\WINDOWS\system32\test.exe
C:\TIGEN001.exe
C:\WINDOWS\system32\hksrv.dll
C:\WINDOWS\system32\fdeploy.exe

Let me know if you had problems with this step.

7. Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

8. Reboot to back into Normal Mode and do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
9. You're using an outdated version of Java (latest one is Java Runtime Environment (JRE) 5.0 Update 8). Please update and remove the older versions. Do the following:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here:
    [list]
    Java Runtime Environment (JRE) 5.0 Update 8
Please post the Kaspersky report together with a fresh HijackThis log and le me know how things are running now.

#9 sk8nob

sk8nob
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 09 September 2006 - 03:08 PM

First off, I have no idea what:

O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe

refers to. Checking out its properties I see it was created the day my computer started having problems, and the Suspicious File Packer program wouldnt let me drop it in its window.

I did have trouble with Step 6. The only files I could find were test.exe and fedploy.exe, even though I enabled all files to be seen. Aside from that, everything else went smoothly and here's the two reports you requested:

Logfile of HijackThis v1.99.1
Scan saved at 4:01:17 PM, on 9/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\crunner\cproc.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\msiexec.exe
C:\HIjackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...99/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, September 09, 2006 3:56:05 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 9/09/2006
Kaspersky Anti-Virus database records: 222082
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 53040
Number of viruses found: 28
Number of infected objects: 57 / 0
Number of suspicious objects: 4
Duration of the scan process: 01:00:11

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip/drsmartload849a849k.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip/drsmartload849a849i.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\John\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\John\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\John\Desktop\Useless Crap\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\John\Desktop\Useless Crap\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\John\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\John\ntuser.dat Object is locked skipped
C:\Documents and Settings\John\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\HIjackthis\backups\backup-20060907-160258-886.dll Infected: not-a-virus:AdWare.Win32.EZula.cc skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2006-09-09.13-33-45.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000004.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.m skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000099.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000101.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000102.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000105.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000106.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000108.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000109.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000110.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000112.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000113.exe Infected: not-a-virus:AdWare.Win32.Mirar.d skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000114.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000115.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000116.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000119.exe Infected: not-a-virus:AdWare.Win32.RK.a skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000120.dll Infected: not-a-virus:AdWare.Win32.Mirar.b skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000121.exe/data.rar/WhAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000121.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000121.exe/data.rar/WhSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000121.exe/data.rar/Webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000121.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000121.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000121.exe RarSFX: infected - 6 skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000436.exe Object is locked skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000494.exe Object is locked skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000526.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.i skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000527.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.i skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000528.exe Infected: not-a-virus:AdWare.Win32.Agent.ag skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000529.exe Object is locked skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000530.exe Infected: Trojan-Downloader.Win32.VB.amh skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000531.exe Object is locked skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000532.exe Object is locked skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000533.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000533.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000533.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000534.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000535.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.s skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000538.exe Object is locked skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000539.sam Infected: Trojan.Win32.Qhost.hl skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000541.dll Object is locked skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000542.exe Object is locked skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000543.exe Object is locked skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000544.exe Object is locked skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000546.exe Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000547.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000548.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000549.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000550.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000551.ocx Infected: Trojan-Dropper.Win32.VB.dq skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000552.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.o skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000553.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bj skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000554.dll Infected: not-a-virus:AdWare.Win32.Mirar.a skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP1\A0000563.dll Object is locked skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP3\A0000792.dll Infected: not-a-virus:AdWare.Win32.EZula.cc skipped
C:\System Volume Information\_restore{E2776B3D-D4D9-4572-830A-9A1E7699DDA2}\RP5\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Setup90.exe/data0002 Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\Setup90.exe/data0005 Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\Setup90.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\Setup90.exe NSIS: infected - 3 skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\srvcvqjukp.exe Object is locked skipped
C:\WINDOWS\srvtjsahok.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.es skipped
C:\WINDOWS\srvtjsahok.exe NSIS: infected - 1 skipped
C:\WINDOWS\srvwbjfgyi.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.es skipped
C:\WINDOWS\srvwbjfgyi.exe NSIS: infected - 1 skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\bkkcb056.dll Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dfcpr.dll Infected: Trojan-Spy.Win32.Mxsender.f skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd5469.sys Object is locked skipped
C:\WINDOWS\system32\drivers\vaxscsi.sys Object is locked skipped
C:\WINDOWS\system32\loadadv559.exe Infected: Trojan-Downloader.Win32.Small.dib skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Edited by sk8nob, 10 September 2006 - 12:13 AM.


#10 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:29 AM

Posted 11 September 2006 - 06:01 AM

Hi sk8nob,

1.

the Suspicious File Packer program woudnt let me drop it in its window.


Okay let's try it this way: Create a folder called c:\submit. Now copy the following folder into that directory:

C:\WINDOWS\system32\crunner

To copy the folder simply navigate to the directory it is in and right click on the foldername, and then click on copy option. Now go back to the c:\submit folder and right click in the folder and select the paste option.

Once the folder is copied zip the folder and rename submit.zip to yourmembername.zip (for example grinler.zip). If you are using XP or ME right-click on the folder and click on the Send To option and then send it to a Compressed folder. You will now see a file called yourmembername.zip. If you are using another version of Windows, please download a program called Winzip and zip it using that.

When the folder is zipped, go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browsing to the folder you are submitting Finally click on the Send File button.

2. Reboot and as the computer starts up, just before Windows starts to load, tap the F8 key a few times and then choose Safe Mode from the menu that will appear.

3. Run HijackThis, click Scan and checkmark the following entries:

O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe
O15 - Trusted Zone: *.elitemediagroup.net


Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

4. I assume tou still have hidden files disabled.

Look for and delete these files in bold:

C:\WINDOWS\Setup90.exe
C:\WINDOWS\srvtjsahok.exe
C:\WINDOWS\srvwbjfgyi.exe
C:\WINDOWS\system32\dfcpr.dll
C:\WINDOWS\system32\loadadv559.exe

5. Reboot to go back into Normal Mode.

6. Download DelDomains.inf and unzip it to your desktop. Do not run it yet!

Right-click on the deldomains.inf file that you saved earlier on your desktop and select 'Install'

This will remove all entries in the "Trusted Zone" and "Ranges" also. You will have to reimmunize with Spybot after doing this.

7. Go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Please post the ActiveScan report together with a fresh HijackThis log.

#11 sk8nob

sk8nob
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 18 September 2006 - 12:42 PM

Sorry I haven't responded, but my computer started to shut down after about 2 minutes whenever I started it up. It gave me the blue screen and a number of different STOP messages, even though I tried your recommendations before it started to happen. After a week of not being able to use my computer I reformatted Sunday morning, but thanks for all your help.

#12 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:29 AM

Posted 19 September 2006 - 04:47 AM

Hi sk8nob, :thumbsup:

Sorry I haven't responded, but my computer started to shut down after about 2 minutes whenever I started it up. It gave me the blue screen and a number of different STOP messages, even though I tried your recommendations before it started to happen. After a week of not being able to use my computer I reformatted Sunday morning, .......


Sorry to hear that.

......... but thanks for all your help.


You're very welcome.

Please follow these recommendations in order to prevent future infections:

a. Visit Windows Update on a regular basis to stay current with critical updates.

b. Use a Firewall. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. There are several good but for free programmes available like:

Sygate
Kerio
Zone alarm

For a tutorial on Firewalls and a listing of some available ones click: Understanding and Using Firewalls!

c. It is very important that your computer has an anti-virus software running. For your information see this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources!

d. Install and run the following free programs:

* Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here!

* Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found
here! Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

* SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here!

* SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here!

* IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Keep all these programs (including your anti-virus) up-to-date and run them regularly.
If you do not update regularly they will not be able to catch any of the new variants that may come out.

e. I recommend you to read Tony Klein's excellent article: So how did I get infected in the first place?

f. If you want to fight back the Malware Writers, please take a look here!

Glad I was able to help and if there are any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BleepingComputer Forums, we also help people with other computer problems! Do not forget to tell your friends about us!

Good luck!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users