Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The Spy Guard Malware (hjt Log)


  • This topic is locked This topic is locked
6 replies to this topic

#1 akmarksman

akmarksman

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 06 September 2006 - 10:17 PM

Logfile of HijackThis v1.99.1
Scan saved at 7:12:56 PM, on 9/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atmclk.exe
C:\WINDOWS\System32\dcomcfg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\38f55449.exe
C:\Program Files\MalwareWipe\MalwareWipe.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\Program Files\MalwareWipe\MalwareWipe.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINDOWS\System32\hp100.tmp
O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\System32\hp100.tmp
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [38f55449.exe] C:\WINDOWS\System32\38f55449.exe
O4 - HKLM\..\Run: [MalwareWipe] C:\Program Files\MalwareWipe\MalwareWipe.exe /h
O4 - HKLM\..\Run: [rxwnrtg.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\rxwnrtg.dll,nhtynj
O4 - HKCU\..\Run: [38f55449.exe] C:\Documents and Settings\Kids_2\Local Settings\Application Data\38f55449.exe
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
O20 - AppInit_DLLs: notepad.dll C:\WINDOWS\System32\notepad.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 07 September 2006 - 10:51 AM

Hello akmarksman, and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.

Please take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 08 September 2006 - 09:07 AM

Hello akmarksman, sorry for the delay in getting back to you.

======

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

======

Go to Start | Control Panel | Add/Remove Programs and remove the following (if they exist):

MalwareWipe

Remember that this may require you to reboot your computer to complete the uninstallation- just let it.

======

Update Java:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have this icon next to it: Posted Image
    Select it and click Remove.
  • The current version can be downloaded from Sun here: http://java.sun.com/javase/downloads/index.jsp Scroll down the page to 'Java Runtime Environment (JRE) 5.0 Update 8' and press the 'Download' button. On the new web page, click the 'Accept License Agreement' button. Then select 'Windows Offline Installation, Multi-language' in the Windows Platform area just below the Accept button.
======

Download ewido anti-spyware from HERE and save that file to your desktop.
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need to run ewido and update the definition files.
  • On the main screen select the "Update" icon then click "Start Update". The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"
Close ewido anti-spyware.

======

Now, please reboot your computer into Safe Mode. This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep. Then select Safe Mode from the list.

======

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINDOWS\System32\hp100.tmp
O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\System32\hp100.tmp
O4 - HKLM\..\Run: [38f55449.exe] C:\WINDOWS\System32\38f55449.exe
O4 - HKLM\..\Run: [MalwareWipe] C:\Program Files\MalwareWipe\MalwareWipe.exe /h
O4 - HKLM\..\Run: [rxwnrtg.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\rxwnrtg.dll,nhtynj
O4 - HKCU\..\Run: [38f55449.exe] C:\Documents and Settings\Kids_2\Local Settings\Application Data\38f55449.exe
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
O20 - AppInit_DLLs: notepad.dll C:\WINDOWS\System32\notepad.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

======

Next, please find and delete the following files/folders (if present):

C:\WINDOWS\System32\atmclk.exe <--This file
C:\WINDOWS\System32\dcomcfg.exe <--This file
C:\Program Files\MalwareWipe <--This folder
C:\WINDOWS\System32\hp100.tmp <--This file
C:\WINDOWS\System32\38f55449.exe <--This file
C:\WINDOWS\System32\rxwnrtg.dll <--This file
C:\Documents and Settings\Kids_2\Local Settings\Application Data\38f55449.exe <--This file
C:\WINDOWS\System32\notepad.dll <--This file

======

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

======
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan"
  • Ewido will now begin the scanning process, be patient this may take a little time.
  • Ewido will list any infections found on the left hand side. When the scan has finished, it should automatically set the recommended action to Quarantine--if not click on Recommended Action and set it there. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close ewido.
======

Please post back with the following (you may need more than one reply to get them all in!):
-New HijackThis log
-smitfiles.txt
-Ewido log

Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#4 akmarksman

akmarksman
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 09 September 2006 - 11:11 PM

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:58:54 PM 9/9/2006

+ Scan result:



C:\Documents and Settings\Kids_2\Application Data\Οracle\nѕlookup.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1275210071-1417001333-839522115-1003\Dc12.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\oins.exe -> Downloader.PurityScan.cp : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win1252.tmp.exe -> Downloader.Small.cvw : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1275210071-1417001333-839522115-1003\Dc8.exe -> Downloader.Zlob.xn : Cleaned with backup (quarantined).
C:\Documents and Settings\Dr.Evil\Desktop\HijackThis\backups\backup-20060909-153728-496.dll -> Downloader.Zlob.xz : Cleaned with backup (quarantined).
C:\Documents and Settings\Dr.Evil\Desktop\HijackThis\backups\backup-20060909-153728-951.dll -> Downloader.Zlob.xz : Cleaned with backup (quarantined).
:mozilla.237:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.296:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.29:C:\Documents and Settings\Dr.Evil\Application Data\Mozilla\Firefox\Profiles\lrnnzvlc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.304:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.30:C:\Documents and Settings\Dr.Evil\Application Data\Mozilla\Firefox\Profiles\lrnnzvlc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.31:C:\Documents and Settings\Dr.Evil\Application Data\Mozilla\Firefox\Profiles\lrnnzvlc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.53:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.54:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.55:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.56:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.57:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.58:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.59:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.60:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.61:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.62:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Kids_2\Cookies\kids_2@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Kids_2\Cookies\kids_2@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.18:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup (quarantined).
C:\Documents and Settings\Kids_2\Cookies\kids_2@admarketplace[1].txt -> TrackingCookie.Admarketplace : Cleaned with backup (quarantined).
:mozilla.171:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup (quarantined).
:mozilla.172:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup (quarantined).
:mozilla.173:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup (quarantined).
:mozilla.175:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.176:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.177:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.178:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.70:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Kids_2\Cookies\kids_2@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.36:C:\Documents and Settings\Dr.Evil\Application Data\Mozilla\Firefox\Profiles\lrnnzvlc.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
:mozilla.242:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup (quarantined).
:mozilla.185:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.295:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Kids_2\Cookies\kids_2@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
:mozilla.230:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.31:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.27:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.275:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.170:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.115:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.116:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.118:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.119:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.120:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.121:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.122:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.123:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.124:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.152:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.223:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.48:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.49:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.50:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.280:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup (quarantined).
:mozilla.281:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup (quarantined).
:mozilla.282:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup (quarantined).
:mozilla.283:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup (quarantined).
:mozilla.276:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned with backup (quarantined).
:mozilla.109:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
:mozilla.110:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\Kids_2\Cookies\kids_2@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
:mozilla.299:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup (quarantined).
:mozilla.300:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup (quarantined).
:mozilla.241:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Dr.Evil\Cookies\dr.evil@data4.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.111:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.112:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.113:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.114:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.67:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.68:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.69:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\Documents and Settings\Kids_2\Cookies\kids_2@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\Kids_2\Cookies\kids_2@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.278:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup (quarantined).
:mozilla.42:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.43:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.44:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.45:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\Kids_2\Cookies\kids_2@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.255:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.256:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.286:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.268:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
:mozilla.269:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
:mozilla.270:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
:mozilla.271:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
:mozilla.272:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
:mozilla.273:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
:mozilla.277:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
:mozilla.303:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Dr.Evil\Cookies\dr.evil@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Kids_2\Cookies\kids_2@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.130:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.131:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.132:C:\Documents and Settings\Kids_2\Application Data\Mozilla\Firefox\Profiles\93hr2mef.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\Documents and Settings\Kids_2\Local Settings\Temp\cli8.tmp -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\WINDOWS\system32\winhld32.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\Documents and Settings\Kids_2\Local Settings\Temporary Internet Files\Content.IE5\G6NC7ANX\UDefender_Installer[1].exe -> Trojan.Fakealert : Cleaned with backup (quarantined).


::Report end

#5 akmarksman

akmarksman
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 09 September 2006 - 11:12 PM

SmitFraudFix v2.84

Scan done at 15:46:24.04, Sat 09/09/2006
Run from C:\Documents and Settings\Dr.Evil\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\system32\asxbbx.dll Deleted
C:\WINDOWS\system32\hp???.tmp Deleted
C:\WINDOWS\system32\ld???.tmp Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\regperf.exe Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\yhbdupd.dll Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End



Logfile of HijackThis v1.99.1
Scan saved at 3:38:07 PM, on 9/9/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Dr.Evil\Desktop\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BBC90C8B-8456-B3F1-1697-B17074F03EFF} - C:\WINDOWS\System32\vfqsdzd.dll (file missing)
O2 - BHO: (no name) - {CBFDB1D9-7D3C-0894-6AEB-5480013D05B5} - C:\WINDOWS\System32\dblellcj.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [38f55449.exe] C:\Documents and Settings\Dr.Evil\Local Settings\Application Data\38f55449.exe
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 12 September 2006 - 09:58 AM

Hello Akmarksman, sorry for the delay in getting back to you.

======

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

======

Please can you also empty your recycle bin, by right-clicking on the icon on your desktop, then selecting Empty Recycle Bin.

======

Please visit the online Jotti Virus Scanner
Click on Browse button.
Copy and paste the following filepath in the box:

C:\WINDOWS\System32\vfqsdzd.dll

Click on the Open button.
The scanner will check the file with various AV companies.
Copy and paste the results box into a reply to this thread.

======

Please complete the above step again with the following files:

C:\WINDOWS\System32\dblellcj.dll
C:\Documents and Settings\Dr.Evil\Local Settings\Application Data\38f55449.exe


======

Post back with a new HijackThis log, and can you also let me know what Jotti finds for each of these files.

Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:08:18 AM

Posted 21 September 2006 - 10:57 AM

due to lack of feedback, this topic is now closed

contact the forum staff to get it reopened, this applies to the topic starter only
everyone else start a new topic

thank you rookie147 :thumbsup:
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users