Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Have All The Tools, Just Need The Guidance...


  • This topic is locked This topic is locked
17 replies to this topic

#1 Rivercollin

Rivercollin

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 02 October 2006 - 04:35 PM

I've downloaded all the necessary tools to combat the spyware in my laptop I think, I just need some help knowing how to use it. I've downloaded Hijack this, AboutBuster, CCleaner and the latest version of Ewido. Please help. This stupid spyware and malware has got me stumped! Thank you in advance for your help!!!

Here is my Hijackthis log from a few minutes ago:
Logfile of HijackThis v1.99.1
Scan saved at 3:58:41 PM, on 10/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\O2Micro\SuperDJ\Monitor.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.arvig.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.adnet-plus.com/banners.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Arvig Communication Systems
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.eot.com:8080
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [O2PLEmonitor] C:\Program Files\O2Micro\SuperDJ\Monitor.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [PSof1] C:\WINNT\System32\PSof1.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [Ceaay] C:\Program Files\Isyl\Whagag.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [testit.exe] C:\WINNT\System32\testit.exe
O4 - HKLM\..\Run: [loadadv64] C:\WINNT\System32\loadadv64
O4 - HKLM\..\Run: [wrapperouter.exeexeR] C:\WINNT\System32\wrapperouter.exeexeR
O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\SYSC00.exe
O4 - HKLM\..\Run: [wrapperouter.exeg] C:\WINNT\System32\wrapperouter.exeg
O4 - HKLM\..\Run: [w020134c.dll] RUNDLL32.EXE w020134c.dll,I2 000177540020134c
O4 - HKLM\..\Run: [is11] C:\WINNT\System32\is11
O4 - HKLM\..\Run: [mil.exeHTML 4.] C:\WINNT\System32\mil.exeHTML 4.
O4 - HKLM\..\Run: [new.exe] C:\WINNT\System32\new.exe
O4 - HKLM\..\Run: [073Q3FX] ltwfw32.exe
O4 - HKLM\..\Run: [wanund] c:\winnt\system32\jlbbgte.exe r
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.arvig.com
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - (no file)
O20 - AppInit_DLLs: repairs303169566.dll
O20 - Winlogon Notify: ShellCompatibility - C:\WINNT\system32\irl4l53q1.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 Rivercollin

Rivercollin
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 02 October 2006 - 05:32 PM

Any help?

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:41 PM

Posted 05 October 2006 - 08:17 AM

Hello,

Aboutbuster is not needed here..

First of all, you didn't unzip/extract hijackthis.. and it's still in the tempfolder.
So I strongly advise to unzip/extract hijackthis.zip.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Create a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.
How do you make a permanent folder:

Click My Computer, then C:\ and then on Program Files.
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.

It is important you don't miss a step and perform everything in the right order!!

* Download Brute Force Uninstaller.
Unzip it to a folder of it’s own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script
( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

--------------------

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.adnet-plus.com/banners.php
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O4 - HKLM\..\Run: [PSof1] C:\WINNT\System32\PSof1.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [Ceaay] C:\Program Files\Isyl\Whagag.exe
O4 - HKLM\..\Run: [testit.exe] C:\WINNT\System32\testit.exe
O4 - HKLM\..\Run: [loadadv64] C:\WINNT\System32\loadadv64
O4 - HKLM\..\Run: [wrapperouter.exeexeR] C:\WINNT\System32\wrapperouter.exeexeR
O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\SYSC00.exe
O4 - HKLM\..\Run: [wrapperouter.exeg] C:\WINNT\System32\wrapperouter.exeg
O4 - HKLM\..\Run: [w020134c.dll] RUNDLL32.EXE w020134c.dll,I2 000177540020134c
O4 - HKLM\..\Run: [is11] C:\WINNT\System32\is11
O4 - HKLM\..\Run: [mil.exeHTML 4.] C:\WINNT\System32\mil.exeHTML 4.
O4 - HKLM\..\Run: [new.exe] C:\WINNT\System32\new.exe
O4 - HKLM\..\Run: [073Q3FX] ltwfw32.exe
O4 - HKLM\..\Run: [wanund] c:\winnt\system32\jlbbgte.exe r
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - (no file)
O20 - AppInit_DLLs: repairs303169566.dll
O20 - Winlogon Notify: ShellCompatibility - C:\WINNT\system32\irl4l53q1.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
Don't worry if some entries won't go away, we'll deal with that later...

-------------------------

You have already Ewido installed...
  • Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close Ewido and reboot!!
-------------------------

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog and the log from SuperAntispyware.
You may need several replies to post the logs.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 Rivercollin

Rivercollin
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 05 October 2006 - 08:43 PM

Hi again. I'm having a ton of problems. I've done everything on the listm but my computer freezes up the Ewido application when I try to quarantine the infections. Combofix will start, but then tell me I need to download more files and takes me to the download site, I download the files to the place it tells me then says I need to restart the combofix program. I've downloaded the files it needs countless times over and I still can't get past that point. I'm not sure what do do on this one. I need help. If you need my Hijack this log again, here is the latest after the "Bruteforce" step.

Logfile of HijackThis v1.99.1
Scan saved at 20:40, on 06-10-05
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\O2Micro\SuperDJ\Monitor.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\cscript.exe
C:\WINNT\system32\cscript.exe
C:\WINNT\system32\cscript.exe
C:\WINNT\system32\cscript.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.arvig.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Arvig Communication Systems
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.eot.com:8080
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [O2PLEmonitor] C:\Program Files\O2Micro\SuperDJ\Monitor.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.arvig.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: repairs303169566.dll
O20 - Winlogon Notify: MediaContentIndex - C:\WINNT\system32\irp6l57s1.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:41 PM

Posted 06 October 2006 - 01:11 AM

Combofix will start, but then tell me I need to download more files and takes me to the download site


What files is combofix talking about? I already see where your problem may be... and that is your unusual install of XP. My thought is here that you installed XP on top of an Windows 2000 installation. This confuses a lot of programs.

Try next in the right order..

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
    (If Look2Me-Destroyer does not reopen automatically, reboot and try again.)
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

When done, I assume that your Brute Force Uninstaller is located in next folder as I asked you to create:

C:\BFU
  • Download sidekickFix.bat (rightclick on this link and choose save as)
  • Place sidekickFix.bat in your C:\BFU - folder. (Important!)
  • Doubleclick sidekickFix.bat, Close all browsers and explorer folders.
  • Type Y for yes to start the fix and follow the prompts.
  • It will ask to reboot your computer, so please allow it to reboot.
  • After the PC has restarted please post another hijackthis log together with the log from Look2Me-Destroyer.txt present on your desktop.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 Rivercollin

Rivercollin
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 09 October 2006 - 03:27 PM

ok...sorry it took me so long to get back to this. I was out of town. I've followed all the steps and here are the logs you requested.


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 06-10-09 15:06:04

Infected! C:\WINNT\system32\lvl6093se.dll
Infected! C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0134961.dll
Infected! C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0134966.dll
Infected! C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0134972.dll
Infected! C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0134989.dll
Infected! C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0134993.dll
Infected! C:\WINNT\system32\dnkquota.dll
Infected! C:\WINNT\system32\i606lgds1606.dll
Infected! C:\WINNT\system32\lvl6093se.dll

Attempting to delete infected files...

Attempting to delete: C:\WINNT\system32\lvl6093se.dll
C:\WINNT\system32\lvl6093se.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0134961.dll
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0134961.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0134966.dll
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0134966.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0134972.dll
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0134972.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0134989.dll
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0134989.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0134993.dll
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0134993.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\dnkquota.dll
C:\WINNT\system32\dnkquota.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\i606lgds1606.dll
C:\WINNT\system32\i606lgds1606.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\lvl6093se.dll
C:\WINNT\system32\lvl6093se.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{CF216A6C-E7A8-4CA5-B6CD-C3EFA93C440C}"
HKCR\Clsid\{CF216A6C-E7A8-4CA5-B6CD-C3EFA93C440C}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{A375A72D-BDC7-4716-84AC-42E39A1AF552}"
HKCR\Clsid\{A375A72D-BDC7-4716-84AC-42E39A1AF552}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{617B922F-3FF3-4F78-B917-075B17DFD145}"
HKCR\Clsid\{617B922F-3FF3-4F78-B917-075B17DFD145}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{86F70BB7-8F9B-460B-B1BD-469EED664A19}"
HKCR\Clsid\{86F70BB7-8F9B-460B-B1BD-469EED664A19}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{20A68205-3337-4DBA-84C9-DB296E9A2F14}"
HKCR\Clsid\{20A68205-3337-4DBA-84C9-DB296E9A2F14}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{899E9930-1D25-49DA-A74A-0EBC337D2F65}"
HKCR\Clsid\{899E9930-1D25-49DA-A74A-0EBC337D2F65}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5053D3FA-F401-4066-9B3B-A8AE99769725}"
HKCR\Clsid\{5053D3FA-F401-4066-9B3B-A8AE99769725}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{4F590805-0E20-4E3A-B692-3F38FF80978C}"
HKCR\Clsid\{4F590805-0E20-4E3A-B692-3F38FF80978C}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{7F00A59C-2A82-4795-B5FA-0F0B39829106}"
HKCR\Clsid\{7F00A59C-2A82-4795-B5FA-0F0B39829106}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{712A6485-584D-4891-AE1A-0A8AFE74C6FE}"
HKCR\Clsid\{712A6485-584D-4891-AE1A-0A8AFE74C6FE}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9E15EA19-B8CB-4B3D-BAE5-11DAB1D73C88}"
HKCR\Clsid\{9E15EA19-B8CB-4B3D-BAE5-11DAB1D73C88}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{71DA999B-CF2E-484F-9177-0BB4B2A4CAF6}"
HKCR\Clsid\{71DA999B-CF2E-484F-9177-0BB4B2A4CAF6}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{CC2F46F5-6F40-4A36-BC67-5CDE13913CDB}"
HKCR\Clsid\{CC2F46F5-6F40-4A36-BC67-5CDE13913CDB}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F73440AF-AC87-4640-897F-2E1D3E5E7826}"
HKCR\Clsid\{F73440AF-AC87-4640-897F-2E1D3E5E7826}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{29040D53-DE2F-4029-B58E-7351B1B3449B}"
HKCR\Clsid\{29040D53-DE2F-4029-B58E-7351B1B3449B}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{7BD31222-D0F9-4C99-AFEA-DFBEBDB1EC16}"
HKCR\Clsid\{7BD31222-D0F9-4C99-AFEA-DFBEBDB1EC16}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{97EEC429-F73E-4652-8AEE-C172E06B6C45}"
HKCR\Clsid\{97EEC429-F73E-4652-8AEE-C172E06B6C45}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{96974B20-951C-4B37-8A8E-7E4F186042F3}"
HKCR\Clsid\{96974B20-951C-4B37-8A8E-7E4F186042F3}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9773A767-4E48-4776-8E47-EB893D05DC61}"
HKCR\Clsid\{9773A767-4E48-4776-8E47-EB893D05DC61}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{071C6169-7F19-4B7E-BB41-12F45BAF8440}"
HKCR\Clsid\{071C6169-7F19-4B7E-BB41-12F45BAF8440}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{2F0FAF0D-448C-4B40-8E04-2160D1B9C5EF}"
HKCR\Clsid\{2F0FAF0D-448C-4B40-8E04-2160D1B9C5EF}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{14D5C67E-061A-4F41-BEC6-CB2210FC4DAD}"
HKCR\Clsid\{14D5C67E-061A-4F41-BEC6-CB2210FC4DAD}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{E16BEFD1-FD30-4A7C-B476-68DEC769F35E}"
HKCR\Clsid\{E16BEFD1-FD30-4A7C-B476-68DEC769F35E}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{3AD87AC9-8ADF-4D89-89F3-8E6113C42CB1}"
HKCR\Clsid\{3AD87AC9-8ADF-4D89-89F3-8E6113C42CB1}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F7FE79E4-A5AF-4224-9AFD-A840F2F0F73F}"
HKCR\Clsid\{F7FE79E4-A5AF-4224-9AFD-A840F2F0F73F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F51693C3-40E9-4399-968A-6B5504A2A414}"
HKCR\Clsid\{F51693C3-40E9-4399-968A-6B5504A2A414}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{98EC798D-C929-4556-8793-34108FFBE5C6}"
HKCR\Clsid\{98EC798D-C929-4556-8793-34108FFBE5C6}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C44A3295-B3B5-4878-BBB7-A0AB6CE2AE0D}"
HKCR\Clsid\{C44A3295-B3B5-4878-BBB7-A0AB6CE2AE0D}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{CC70E410-3FC5-487D-9992-7E9714C44D20}"
HKCR\Clsid\{CC70E410-3FC5-487D-9992-7E9714C44D20}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{705C48FB-F8C1-4B03-9BC8-15E497F79837}"
HKCR\Clsid\{705C48FB-F8C1-4B03-9BC8-15E497F79837}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1A69948F-39DD-404D-93E8-042F0FB3C0D0}"
HKCR\Clsid\{1A69948F-39DD-404D-93E8-042F0FB3C0D0}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{07DE1424-5B04-453B-B86E-FFC7EBEE5178}"
HKCR\Clsid\{07DE1424-5B04-453B-B86E-FFC7EBEE5178}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{90F8FEC7-7257-4078-920D-DF9DC940B568}"
HKCR\Clsid\{90F8FEC7-7257-4078-920D-DF9DC940B568}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5108F651-CAA1-49EE-9919-AAE791D0457E}"
HKCR\Clsid\{5108F651-CAA1-49EE-9919-AAE791D0457E}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5540F9D2-5F8D-42AE-B475-846212208D8F}"
HKCR\Clsid\{5540F9D2-5F8D-42AE-B475-846212208D8F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{A5EF9A60-478E-444A-8A95-64AA119C6BAA}"
HKCR\Clsid\{A5EF9A60-478E-444A-8A95-64AA119C6BAA}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1954C023-EAB1-4764-9025-F68513CB480B}"
HKCR\Clsid\{1954C023-EAB1-4764-9025-F68513CB480B}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{44084CB7-1032-4905-8852-297BD8A7B504}"
HKCR\Clsid\{44084CB7-1032-4905-8852-297BD8A7B504}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{16424969-0E5F-4F15-BD83-4F0E329EC648}"
HKCR\Clsid\{16424969-0E5F-4F15-BD83-4F0E329EC648}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{078B06D1-A20C-4234-8BE2-BF4BAE730499}"
HKCR\Clsid\{078B06D1-A20C-4234-8BE2-BF4BAE730499}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{8038A509-177D-4472-811B-02241328E191}"
HKCR\Clsid\{8038A509-177D-4472-811B-02241328E191}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{57E8E216-155D-4916-88B2-971A9A87691B}"
HKCR\Clsid\{57E8E216-155D-4916-88B2-971A9A87691B}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{10B6096E-49EE-427F-A744-A644C0B18C9D}"
HKCR\Clsid\{10B6096E-49EE-427F-A744-A644C0B18C9D}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{E7CAE144-7A68-4EF8-AEF4-59B5FDFAA2FC}"
HKCR\Clsid\{E7CAE144-7A68-4EF8-AEF4-59B5FDFAA2FC}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F0BDA399-087C-4E69-B100-6E6772540BB6}"
HKCR\Clsid\{F0BDA399-087C-4E69-B100-6E6772540BB6}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{10BB6C89-312E-40AD-A2C1-1BFC2AF47C9A}"
HKCR\Clsid\{10BB6C89-312E-40AD-A2C1-1BFC2AF47C9A}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded




Logfile of HijackThis v1.99.1
Scan saved at 15:23, on 06-10-09
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\O2Micro\SuperDJ\Monitor.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\HiJackThis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.arvig.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Arvig Communication Systems
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.eot.com:8080
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [O2PLEmonitor] C:\Program Files\O2Micro\SuperDJ\Monitor.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.arvig.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:41 PM

Posted 09 October 2006 - 03:33 PM

Good, we made progress here...

As a final cleanup, since many leftovers will still be present, perform next:

Download and install Superantispyware
  • Load Superantispyware and click the check for updates button.
  • Once the update is finished click the scan your computer button.
  • Check Perform Complete Scan and then next.
  • Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
  • Make sure that they all have a check next to them and press next.
  • Click finish and you will be taken back to the main interface.
  • It could be possible that it will ask you to reboot your computer in order to delete some files after reboot.
  • I'll need a log afterwards of what has been found.
  • To get the log, Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
  • Post the contents of the log in your next reply.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 Rivercollin

Rivercollin
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 09 October 2006 - 04:20 PM

ok...you were right. SuperAntispyware asked me to reboot after the scan. So here is the log from that scan. By the way, I'm not sure if this is related to my spyware issue or if it's a whole other topic, but when the "Log on to Windows" box that asks me for my password comes up when I power up, it has a "I can see you, and Jesus can see you too" message in the box. Is this related to the spyware that we're fixing now? Anyway, here's the latest:

SUPERAntiSpyware Scan Log
Generated 10/09/2006 at 04:06 PM

Core Rules Database Version : 3100
Trace Rules Database Version: 1127

Memory threats detected : 0
Registry threats detected : 36
File threats detected : 69

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@ads.traffic-o-rama[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@drivecleaner[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@kanoodle[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.yourtruths[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@emarketmakers[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@count3.exitexchange[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@exitexchange[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.drivecleaner[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@kmpads[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@stopzilla[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@cpvfeed[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@count4.exitexchange[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@server.iad.liveperson[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@80503492[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adserve.webtoolcafe[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@count.exitexchange[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.stopzilla[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@count2.exitexchange[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@keywordmax[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@realmedia[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.ampmsearch[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@btg.btgrab[1].txt

Adware.Apropos Media
C:\Program Files\Aprps\ace.dll
C:\Program Files\Aprps\AI_19-07-2005.log
C:\Program Files\Aprps\AI_22-07-2005.log
C:\Program Files\Aprps\atl.dll
C:\Program Files\Aprps\libexpat.dll
C:\Program Files\Aprps\uninstaller.exe
C:\Program Files\Aprps

Adware.SurfSideKick
C:\Documents and Settings\Administrator\Application Data\Sskuknwrd.dll
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP100\A0133509.dll
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP100\A0133510.dll
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0134853.exe
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0135041.exe
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0135042.dll
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0135043.dll

Adware.QuickLinks
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\JGAf
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\JGAf#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\JGAf#UninstallString

Registry Cleaner Trial
HKU\S-1-5-21-3880834986-794007587-3749586214-500\Software\Registry Cleaner
HKU\S-1-5-21-3880834986-794007587-3749586214-500\Software\SoftwareOnline.com
C:\Documents and Settings\Administrator\Application Data\Registry Cleaner\Backups\2005-09-04,10-56 47 803.zip
C:\Documents and Settings\Administrator\Application Data\Registry Cleaner\Backups\2006-09-26,09-30 05 888.zip
C:\Documents and Settings\Administrator\Application Data\Registry Cleaner\Backups
C:\Documents and Settings\Administrator\Application Data\Registry Cleaner\RegClean.ini
C:\Documents and Settings\Administrator\Application Data\Registry Cleaner

Trojan.NetMon/DNSChange
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc

Trojan.cmdService
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc

Adware.MediaMotor
HKCR\Interface\{597AA130-F00B-40B8-ADAF-529D4DA9BE52}
HKCR\Interface\{597AA130-F00B-40B8-ADAF-529D4DA9BE52}\ProxyStubClsid
HKCR\Interface\{597AA130-F00B-40B8-ADAF-529D4DA9BE52}\ProxyStubClsid32
HKCR\Interface\{597AA130-F00B-40B8-ADAF-529D4DA9BE52}\TypeLib
HKCR\Interface\{597AA130-F00B-40B8-ADAF-529D4DA9BE52}\TypeLib#Version
HKCR\Interface\{7682C1A6-C500-4C78-93B9-5A76A91520F8}
HKCR\Interface\{7682C1A6-C500-4C78-93B9-5A76A91520F8}\ProxyStubClsid
HKCR\Interface\{7682C1A6-C500-4C78-93B9-5A76A91520F8}\ProxyStubClsid32
HKCR\Interface\{7682C1A6-C500-4C78-93B9-5A76A91520F8}\TypeLib
HKCR\Interface\{7682C1A6-C500-4C78-93B9-5A76A91520F8}\TypeLib#Version

Trojan.Malware
C:\asdf.txt

Adware.Elite Media
C:\WINNT\elitemediagroup.ini

Adware.ClickSpring/Yazzle
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1119Oin
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1119Oin#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1119Oin#UninstallString
C:\Program Files\Common Files\Yazzle1119OinUninstaller.exe

Trojan.Unknown Origin
C:\bintheredunthat\ventfe1.exe
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP100\A0134209.vbs
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP100\A0134386.exe
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0134852.vbs
C:\WINNT\check012906.ini
C:\WINNT\tempf.txt
C:\WINNT\Uninst2.htm
C:\WINNT\Unist1.htm

Trojan.NewDotNet
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP100\A0134212.exe
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP100\A0134383.exe

Trojan.ZenoSearch
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP100\A0134368.exe

Adware.Popuppers
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP100\A0134369.exe

Adware.Mirar/NetNucleus
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP100\A0134377.exe

Unclassified.Unknown Origin
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP100\A0134388.dll
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP100\A0134390.dll

TargetSaver, Inc. Process
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP104\A0134746.exe

Adware.NicTech Networks
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0134881.exe
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0134898.exe
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0134983.DLL
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0135000.dll

Trojan.LoadAdV64
C:\WINNT\system32\loadadv64

Adware.ClickSpring/PuritySCAN
C:\WINNT\system32\wnstssv.exe

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:41 PM

Posted 10 October 2006 - 12:17 AM

Hello,
Guess we have to hunt for more malware here...

Let's clean your temp folders first, because logs may be huge afterwards otherways..
* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Download Silent Runners
Unzip it to a permanent folder.
Start SilentRunners.vbs
When your antivirus is giving an alert, do not block this. Allow the script.
Please wait until it prompts you the scan is finished!
It will create a txt file afterwards. I need that one later.

Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. I need the log from the Kaspersky scan later.

* Download sophos-anti-rootkit: http://www.sophos.com/products/free-tools/...ti-rootkit.html
  • Place it on your desktop.
  • Doubleclick sarsfx.exe to extract the files. Leave the default settings.
  • Open the folder C:\SOPHTEMP and doubleclick sargui.exe to start the program.
  • Make sure next are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click the "Start Scan" button.
  • Click the "OK" button after you get the notification that the scan has finished. This to close the program. Don't check anything in it yet, because legit entries may be present there as well!
  • Then, go to start > run and copy and paste next in the field: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Post this log in your next reply together with the log from Kaspersky and Silent Runners. You may need several different replies to post the logs since they won't fit in one.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Rivercollin

Rivercollin
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 10 October 2006 - 10:44 PM

ok...here is the first of the three logs:

"Silent Runners.vbs", revision 48, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"ctfmon.exe" = "C:\WINNT\System32\ctfmon.exe" [MS]
"Windows Registry Repair Pro" = "C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4" [file not found]
"SUPERAntiSpyware" = "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"GWMDMMSG" = "GWMDMMSG.exe" ["GTW"]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"GWMDMpi" = "C:\WINNT\GWMDMpi.exe" [null data]
"Gateway Ink Monitor" = ""C:\Program Files\Gateway Utilities\GWInkMonitor.exe"" ["Gateway"]
"AdaptecDirectCD" = ""C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"O2PLEmonitor" = "C:\Program Files\O2Micro\SuperDJ\Monitor.exe" [null data]
"Microsoft Works Update Detection" = "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"NAV CfgWiz" = "C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"" ["Symantec Corporation"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}" = "America Online Included"
-> {HKLM...CLSID} = "America Online Included"
\InProcServer32\(Default) = "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll" ["America Online, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {HKLM...CLSID} = "Adaptec DirectCD Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{8e9d6600-f84a-11ce-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {HKLM...CLSID} = "NetWare Objects"
\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{e3f2bac0-099f-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {HKLM...CLSID} = "NetWare UNC Folder Menu"
\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{52c68510-09a0-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {HKLM...CLSID} = "NetWare Hood Verbs"
\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]
INFECTION WARNING! "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"AppInit_DLLs" = (value not set)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
NetWareUNCMenu\(Default) = "{e3f2bac0-099f-11cf-8daa-00aa004a5691}"
-> {HKLM...CLSID} = "NetWare UNC Folder Menu"
\InProcServer32\(Default) = "nwprovau.dll" [MS]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINNT\web\wallpaper\Bliss.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINNT\System32\logon.scr" [MS]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 26
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."]
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINNT\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.arvig.com

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINNT\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
Client Service for NetWare, NWCWorkstation, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\nwwks.dll" [MS]}
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
Norton AntiVirus Auto Protect Service, navapsvc, "C:\Program Files\Norton AntiVirus\navapsvc.exe" ["Symantec Corporation"]
SAVScan, SAVScan, "C:\Program Files\Norton AntiVirus\SAVScan.exe" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINNT\wanmpsvc.exe"" ["America Online, Inc."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 400 seconds, including 22 seconds for message boxes)

#11 Rivercollin

Rivercollin
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 10 October 2006 - 10:46 PM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
06-10-10 20:46
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 11/10/2006
Kaspersky Anti-Virus database records: 217220
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 58819
Number of viruses found: 16
Number of infected objects: 77 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:36:48

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\A0133497.ocx.bac_a03632 Infected: Trojan-Dropper.Win32.VB.dq skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\A0134233.ocx.bac_a03632 Infected: Trojan-Dropper.Win32.VB.dq skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\A0134378.ocx.bac_a03632 Infected: Trojan-Dropper.Win32.VB.dq skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\A0134828.dll.bac_a02268 Infected: Trojan-Downloader.Win32.Apropo.ag skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\CxtPls.dll.bac_a03632 Infected: Trojan-Downloader.Win32.Apropo.ag skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsys.dll Object is locked skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\27705434.exe/EXE-file Infected: Email-Worm.Win32.Plexus.b skipped
C:\Program Files\Norton AntiVirus\Quarantine\27705434.exe/EXE-file Infected: Backdoor.Win32.Dumador.cp skipped
C:\Program Files\Norton AntiVirus\Quarantine\27705434.exe Embedded EXE: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\27705434.exe PE_Patch: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\27705434.exe CryptFF: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\4B5528CC Infected: Trojan-Downloader.Win32.Apropo.ag skipped
C:\Program Files\Norton AntiVirus\Quarantine\5E260698.htm Infected: Trojan-Downloader.JS.Psyme.an skipped
C:\Program Files\Norton AntiVirus\Quarantine\69550994/track29.htm Infected: Trojan-Downloader.VBS.Psyme.x skipped
C:\Program Files\Norton AntiVirus\Quarantine\69550994 CHM: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\69550994 CryptFF: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\6B652BCE Infected: Trojan-Downloader.Win32.Apropo.ag skipped
C:\Program Files\Norton AntiVirus\Quarantine\6BBD196D Infected: Trojan-Downloader.Win32.IstBar.ms skipped
C:\Program Files\Norton AntiVirus\Quarantine\6F462666 Infected: Trojan-Downloader.Win32.Apropo.ai skipped
C:\Program Files\Norton AntiVirus\Quarantine\7A7762E6 Infected: Trojan-Downloader.Win32.Apropo.ai skipped
C:\Program Files\Norton AntiVirus\Quarantine\7AD76264 Infected: Trojan-Downloader.Win32.Apropo.ae skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP100\A0132487.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP100\A0132487.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP100\A0132487.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP100\A0133541.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP100\A0133541.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP100\A0133541.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP100\A0133883.exe/Stream/data0009 Infected: Rootkit.Win32.Agent.af skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP100\A0133883.exe/Stream Infected: Rootkit.Win32.Agent.af skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP100\A0133883.exe Inno: infected - 2 skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP100\A0133915.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP100\A0133915.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP100\A0133915.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0134855.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0134855.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0134855.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0134857.exe/data0002 Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0134857.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0134925.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0134925.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP106\A0134925.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP107\A0135050.dll Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP107\A0135052.dll Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP107\A0135053.exe Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP108\change.log Object is locked skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP97\A0124912.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP97\A0124912.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP97\A0124912.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP97\A0125907.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP97\A0125907.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP97\A0125907.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP97\A0126893.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP97\A0126893.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP97\A0126893.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP98\A0126918.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP98\A0126918.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP98\A0126918.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP98\A0127931.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP98\A0127931.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP98\A0127931.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP99\A0127957.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP99\A0127957.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP99\A0127957.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP99\A0129351.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP99\A0129351.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP99\A0129351.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP99\A0129393.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP99\A0129393.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP99\A0129393.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP99\A0129430.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP99\A0129430.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP99\A0129430.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP99\A0130415.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP99\A0130415.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP99\A0130415.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP99\A0132412.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP99\A0132412.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP99\A0132412.exe NSIS: infected - 2 skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\mm81.ocx Infected: Trojan-Downloader.Win32.VB.ov skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\DEFAULT Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SOFTWARE Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SYSTEM Object is locked skipped
C:\WINNT\system32\config\system.LOG Object is locked skipped
C:\WINNT\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINNT\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINNT\system32\h323log.txt Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINNT\wiadebug.log Object is locked skipped
C:\WINNT\wiaservc.log Object is locked skipped

Scan process completed.

#12 Rivercollin

Rivercollin
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 10 October 2006 - 10:49 PM

and the third...although I'm pretty sure there's supposed to be more to it than this. I followed the directions...did I do something wrong here?


Sophos Anti-Rootkit Version 1.0 © 2006 Sophos Plc
Started logging on 06-10-10 at 22:24
Stopped logging on 06-10-10 at 22:26


Sophos Anti-Rootkit Version 1.0 © 2006 Sophos Plc
Started logging on 06-10-10 at 22:31
Stopped logging on 06-10-10 at 22:33

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:41 PM

Posted 11 October 2006 - 03:12 AM

Hello,

No you didn't do something wrong. Just wanted to be sure all malware is erased first before we deal with that message at the winlogon screen.

Delete next file:

C:\WINNT\mm81.ocx

The rest of that malware that was found was present in Quarantaine folders. So, you can get rid of ot by opening your Norton, choose the option quarantaine and delete anything present in there.

Also delete the contents of next folder:

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine

There are also files found in your System Restore points, to get rid of them, Flush your system restore points:
To do this, you have to disable systemrestore and enable it afterwards again.
(note: this will delete all your system restore points and malware that were present in it).

How to disable system restore in XP <= click me for instructions with screenshots
After you disabled System Restore.... Reboot.. and after rebooting, enable it again and create a new System Restore point.

Then, Open notepad and copy and paste next present in the quotebox in it:

REG query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" >> look.txt
start notepad look.txt

Save this as look.bat , choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and notepad should open.
Copy and paste the contents of it in your next reply.
(In case you are unsure how to create a bat file, take a look here with screenshots.)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 Rivercollin

Rivercollin
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 11 October 2006 - 05:23 PM

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
AutoRestartShell REG_DWORD 0x1
DefaultUserName REG_SZ Administrator
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PowerdownAfterShutdown REG_SZ 0
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
ShutdownWithoutLogon REG_SZ 0
System REG_SZ
Userinit REG_SZ userinit.exe
VmApplet REG_SZ rundll32 shell32,Control_RunDLL "sysdm.cpl"
SfcQuota REG_DWORD 0xffffffff
allocatecdroms REG_SZ 0
allocatedasd REG_SZ 0
allocatefloppies REG_SZ 0
cachedlogonscount REG_SZ 10
forceunlocklogon REG_DWORD 0x0
passwordexpirywarning REG_DWORD 0xe
scremoveoption REG_SZ 0
AllowMultipleTSSessions REG_DWORD 0x1
UIHost REG_EXPAND_SZ logonui.exe
LogonType REG_DWORD 0x0
Background REG_SZ 0 0 0
DefaultPassword REG_SZ
DebugServerCommand REG_SZ no
SFCDisable REG_DWORD 0x0
WinStationsDisabled REG_SZ 0
HibernationPreviouslyEnabled REG_DWORD 0x1
ShowLogonOptions REG_DWORD 0x0
AltDefaultUserName REG_SZ Administrator
AltDefaultDomainName REG_SZ S0031892979
DefaultDomainName REG_SZ S0031892979
New Value #1 REG_SZ
LogonPrompt REG_SZ I can see you, and Jesus can see you too!

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Credentials

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:41 PM

Posted 12 October 2006 - 12:25 AM

Hello,

I see there was a LogonPrompt value created. This is not a default Value on Windows 2000/XP
I also have the feeling that this was created manually by someone, because I see a "New Value" as well there.. and this happens when someone creates a new Value Manually, because if it was a tool/program/whatever creating this, it would create it right away.

Anyway, let's fix this.

First I would like you to create a backup of that key first. To do this, perform next..

Open notepad and copy and paste next present in the quotebox in it:

regedit /a C:\backup.reg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

Save this as backup.bat , choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it. This should create a C:\backup.reg

Then, Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"LogonPrompt"=-
"New Value"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Reboot your computer.
Let me know if the message is gone now.

Edited by miekiemoes, 12 October 2006 - 12:28 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users