Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Linkoptimizer? Hijack Log


  • This topic is locked This topic is locked
13 replies to this topic

#1 slypieguy

slypieguy

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 02 October 2006 - 04:52 PM

My Adaware keeps finding a registry thing called LinkOptimizer, and it is causing popups and seems to be greatly slowing my connection speed. Whenever I clean it with Adaware it comes back. Here is my Hijack this log, thx in advance.

Logfile of HijackThis v1.99.1
Scan saved at 5:45:18 PM, on 10/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PopupKiller\killer.exe
C:\AIM\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Adobe\Acrobat\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {71A97312-8C68-8468-135A-D25EF518556C} - C:\WINDOWS\lypki1.dll (file missing)
O4 - HKLM\..\Run: [aiepk] C:\PopupKiller\killer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Zone Labs Client] "C:\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AIM] C:\AIM\aim.exe -cnetwait.odl
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.org/LSACD_XMLWebServices/...iveX/ofmctl.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v51/h2hpool/h2hpool.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


m

#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:14 AM

Posted 03 October 2006 - 12:42 PM

Hello and welcome to BC

Please download prevx1 tool from Here but do not use it yet.

Reveal Hidden files\folders
  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon.
  • Select the Tools menu and click Folder Options
  • After the new window appears select the View tab.
  • Place a checkmark in the checkbox labeled Display the contents of system folders
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types
  • Remove the checkmark from the checkbox labeled Hide protected operating system files
  • Press the Apply and then the ok button and shut down my computer
  • Now your computer is configured to show all hidden files.
  • For you and the tools to be able to see appropriate files we need to Show Hidden Files
Boot into safe mode
  • Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear use arrow up to highlight
  • Select the first option, to run Windows in Safe Mode hit enter.
  • For additional help in booting into Safe Mode, see the following site: HERE
Now run the prevx tool you downloaded to your desktop earlier.
Now boot into normal mode.

Note: It prompts you to download and try the Prevx1 software after you clean the PC, just say no.

Post a fresh HijackThis log please.

#3 slypieguy

slypieguy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 03 October 2006 - 03:23 PM

I did accidently run the tool you told me to download before switching to safe mode, but then I followed everything you said and ran it in safe mode. Here is the new log

Logfile of HijackThis v1.99.1
Scan saved at 4:19:11 PM, on 10/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PopupKiller\killer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\ZoneAlarm\zlclient.exe
C:\AIM\aim.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Adobe\Acrobat\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {71A97312-8C68-8468-135A-D25EF518556C} - C:\WINDOWS\lypki1.dll (file missing)
O4 - HKLM\..\Run: [aiepk] C:\PopupKiller\killer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Zone Labs Client] "C:\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AIM] C:\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.org/LSACD_XMLWebServices/...iveX/ofmctl.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v51/h2hpool/h2hpool.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#4 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:14 AM

Posted 03 October 2006 - 04:58 PM

Hi,

Unfortunately the infection you have is a "rootkit". You can read more about it here . I need some feed back. Were you able to get a log from the tool, like:

Scanning Windows Directory...
C:\WINDOWS\............. is infected with Adware LinkOptimizer
C:\WINDOWS\............ is infected with Adware LinkOptimizer
Searching for EFS service files...
Trojan.Gromozon Removed!

Scan finished normally
For a detailed log, please refer to \gromozon_removal.log


Do you have any popups? If you didn't get a report like above, please run the tool again and see if you can get a report. Sometimes repeated run of the tool works, as you'll see in this post.

Also try the following tool:

Please download and run the Semantec tool
o Download the FixLinkopt.exe file from: http://securityresponse.symantec.com/avcenter/FixLinkopt.exe.
o Save the file to a convenient location, such as your Windows desktop.
o Close all the running programs.
o If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
o Locate the file that you just downloaded.
o Double-click the FixLinkopt.exe file to start the removal tool.
o Click Start to begin the process, and then allow the tool to run.

NOTE: If you have any problems when you run the tool, or it does nor appear to remove the threat, restart the computer in Safe mode and run the tool again.
o Restart the computer.
o Run the removal tool again to ensure that the system is clean.

Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
  • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
Copy and paste that information from Kapersky in your next post along with a fresh HijackThis log + any other log you may have gotten from the above tools, and let me know how the computer is running

#5 slypieguy

slypieguy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 04 October 2006 - 04:09 PM

Ok, firstly, all of the programs you linked for me (except the web browser scanner) I was unable to access, I am guessing due to the virus, it made them broken links. So I accessed them on my laptop and emailed the files to myself. Then, for each program, when I tried to run them nothing happened. I tried in safe mode as well multiple times with the same result. Also, to answer your question, I am getting some popups, and it is very obvious they are caused by the spyware/virus, not by the webpages I am visiting. I am more noticing a decrease in computer/internet speed than anything else. Since none of the fixer programs ran, I don't think the hijack this log has changed any, but here it is anyway:

Logfile of HijackThis v1.99.1
Scan saved at 5:04:35 PM, on 10/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\AIM\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Adobe\Acrobat\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {71A97312-8C68-8468-135A-D25EF518556C} - C:\WINDOWS\lypki1.dll (file missing)
O4 - HKLM\..\Run: [aiepk] C:\PopupKiller\killer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Zone Labs Client] "C:\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AIM] C:\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.org/LSACD_XMLWebServices/...iveX/ofmctl.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v51/h2hpool/h2hpool.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe







I was able to use the web scanner on the link you provided, here are the results of it:






-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, October 04, 2006 5:00:20 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 4/10/2006
Kaspersky Anti-Virus database records: 215634
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 76461
Number of viruses found: 11
Number of infected objects: 53 / 0
Number of suspicious objects: 1
Duration of the scan process: 00:53:07

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\user\.housecall\Quarantine\!update.exe.bac_a03772 Infected: Trojan-Downloader.Win32.PurityScan.co skipped
C:\Documents and Settings\user\.housecall\Quarantine\aupdate.exe.bac_a00500 Infected: Trojan-Downloader.Win32.Adload.k skipped
C:\Documents and Settings\user\.housecall\Quarantine\backup-20060708-182855-769.dll.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall\Quarantine\eins005.exe.bac_a00500 Infected: Trojan-Downloader.Win32.Adload.k skipped
C:\Documents and Settings\user\.housecall\Quarantine\GS2.exe.bac_a03772/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Documents and Settings\user\.housecall\Quarantine\GS2.exe.bac_a03772/data0002 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Documents and Settings\user\.housecall\Quarantine\GS2.exe.bac_a03772 NSIS: infected - 2 skipped
C:\Documents and Settings\user\.housecall\Quarantine\GS2.exe.bac_a03772 CryptFF.b: infected - 2 skipped
C:\Documents and Settings\user\.housecall\Quarantine\hp100.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall\Quarantine\hp101.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall\Quarantine\hp102.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall\Quarantine\hp103.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall\Quarantine\hp104.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall\Quarantine\hp105.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall\Quarantine\hp106.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall\Quarantine\hp107.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall\Quarantine\hp108.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall\Quarantine\hp109.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall\Quarantine\hp110.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall\Quarantine\iahpneg.exe.bac_a00500 Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\Documents and Settings\user\.housecall\Quarantine\simpole.tlb.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\!update.exe.bac_a03772 Infected: Trojan-Downloader.Win32.PurityScan.co skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\aupdate.exe.bac_a00500 Infected: Trojan-Downloader.Win32.Adload.k skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\backup-20060708-182855-769.dll.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\eins005.exe.bac_a00500 Infected: Trojan-Downloader.Win32.Adload.k skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\GS2.exe.bac_a03772/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\GS2.exe.bac_a03772/data0002 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\GS2.exe.bac_a03772 NSIS: infected - 2 skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\GS2.exe.bac_a03772 CryptFF.b: infected - 2 skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\hp100.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\hp101.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\hp102.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\hp103.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\hp104.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\hp105.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\hp106.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\hp107.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\hp108.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\hp109.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\hp110.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\iahpneg.exe.bac_a00500 Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\img[1].tiff.bac_a02764 Suspicious: Exploit.Win32.IMG-WMF skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\ldC9AE.tmp.bac_a00384 Infected: not-virus:Hoax.Win32.Renos.dw skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\simpole.tlb.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\iinstall.exe Infected: Trojan-Downloader.Win32.IstBar.ou skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\user\ntuser.dat.LOG Object is locked skipped
C:\Kazaa\KaZaA\My Shared Folder\kmd161_en.exe/data0029/bdeviewer.exe Infected: Trojan.Win32.Krepper.y skipped
C:\Kazaa\KaZaA\My Shared Folder\kmd161_en.exe/data0029 Infected: Trojan.Win32.Krepper.y skipped
C:\Kazaa\KaZaA\My Shared Folder\kmd161_en.exe Inno: infected - 2 skipped
C:\Morpheus\Morph20.exe/WISE0015.BIN/WISE0007.BIN Infected: Trojan-Downloader.Win32.Stubby.b skipped
C:\Morpheus\Morph20.exe/WISE0015.BIN Infected: Trojan-Downloader.Win32.Stubby.b skipped
C:\Morpheus\Morph20.exe WiseSFX: infected - 2 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\USER-KNB88M16GH.ldb Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\ld101.tmp Infected: Trojan-Downloader.Win32.Zlob.xr skipped
C:\WINDOWS\system32\regperf.exe Infected: Trojan-Downloader.Win32.Zlob.xr skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\ѕуstem\winlogon.exe Infected: Trojan-Downloader.Win32.PurityScan.co skipped
C:\WINDOWS\Temp\ZLT04242.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT04245.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#6 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:14 AM

Posted 04 October 2006 - 08:31 PM

Hi,



Unfortunately you seem to have the resistant type which prevents the running of the rootkit tools. In addition to this rootkit, you have signs of many other infections . I notice that you have Kazaa and Morpheus P2P file sharing programs which are most likely the root of your problems. Please uninstall them from the Add/Remove Programs in the Control Panel, and then delete their folders from the C:\ directory.

C:\Kazaa
C:\Morpheus


====================================================

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop. Do not use it yet.

====================================================

Please download Ccleaner and save it to your desktop. Do not use it yet.
Tutorial for CCleaner
During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.
=====================================================

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

=======================================================

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if your computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

==========================================================

From Safe Mode run Ccleaner
  • Click on Options,
  • Select Advanced
  • Now UNCHECK "Only delete files in Windows Temp folders older than 48 hours"
  • Make sure the Cleaner block on the left is selected.
  • Do not use the "Issues" block . It's meant for professionals.
  • Choose the Windows tab.
  • Check everything EXCEPT Advanced part of the Menu.
  • Click on "Analyze". This process could take a while.
  • If you don't want to loose your login passwords to certain sites, click on Options
  • Select cookies and move the ones you want to keep to the "cookies to keep" section, by highlighting and using the arrows in the middle.
  • Choose Run Cleaner.
When CCleaner shows how much has been removed, cleaning is finished. Click Exit.
If you have more than one users, run Ccleaner for every user

============================================================

Still in Safe Mode, close ALL open Browsers, Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
==============================================================
While in Safe Mode run Prevx1 tool again.
==============================================================
Reboot in Normal Mode.

==============================================================

Please download AVG Anti-Rootkit Beta here

Now follow the list of instructions to run an in-depth search.
  • Open AVG Anti-Rootkit Beta.
  • Select Perform in-depth search.
  • When the scan is completed select Save result to file (this is only possible if a rootkit or rootkits were found).
  • Save the log as a .txt file to your desktop and post the log in your next reply.
================================================================

Scan with Kaspersky again.

================================================================

Post back:

Smitfraud rapport.txt
AVG Anti-Spyware log
Prevx1 Gromozon Removal log
AVG Anti-Rootkit Beta results
Kaspersky results
and a Fresh HijackThis log please. You may need to post them separately if too long.



P.S. It may also be a good idea to backup all your documents, pictures, etc. for any eventuality.

#7 slypieguy

slypieguy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 06 October 2006 - 02:04 PM

I was able to do everthing you said in your last post, except Prevx still would not run in safe mode. Here are the logs:

Hjack this:

Logfile of HijackThis v1.99.1
Scan saved at 2:59:34 PM, on 10/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PopupKiller\killer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\ZoneAlarm\zlclient.exe
C:\AIM\aim.exe
C:\fixwareout\AVG\guard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Microsoft Office\Office\WINWORD.EXE
C:\Hijack\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Adobe\Acrobat\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {71A97312-8C68-8468-135A-D25EF518556C} - C:\WINDOWS\lypki1.dll (file missing)
O4 - HKLM\..\Run: [aiepk] C:\PopupKiller\killer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Zone Labs Client] "C:\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AIM] C:\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.org/LSACD_XMLWebServices/...iveX/ofmctl.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v51/h2hpool/h2hpool.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\fixwareout\AVG\guard.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe








Smitfraud:

SmitFraudFix v2.105

Scan done at 11:03:42.84, Fri 10/06/2006
Run from C:\Documents and Settings\user\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"altmannsberger"="{210b4043-35ca-4aa0-8796-191f9663dfb3}"


Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\system32\ld???.tmp Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\regperf.exe Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\Program Files\ZipCodec\ Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End










AVG:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:48:39 PM 10/6/2006

+ Scan result:



HKLM\SOFTWARE\Cydoor -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9A26EC54-8880-4FD7-8674-37E61BC57EB0}\RP1390\A0286201.dll -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ѕуstem\winlogon.exe -> Downloader.PurityScan.co : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9A26EC54-8880-4FD7-8674-37E61BC57EB0}\RP1396\A0287720.exe -> Downloader.Zlob.xr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9A26EC54-8880-4FD7-8674-37E61BC57EB0}\RP1363\A0283307.dll -> Downloader.Zlob.xz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9A26EC54-8880-4FD7-8674-37E61BC57EB0}\RP1363\A0283308.tlb -> Downloader.Zlob.xz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9A26EC54-8880-4FD7-8674-37E61BC57EB0}\RP1390\A0286260.exe -> Trojan.Fakealert : Cleaned with backup (quarantined).


::Report end











The AVG rootkit tool did not find anything, so I don't have a log to post.


Kaspersky:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, October 06, 2006 2:59:06 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 6/10/2006
Kaspersky Anti-Virus database records: 216455
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 63117
Number of viruses found: 8
Number of infected objects: 44 / 0
Number of suspicious objects: 1
Duration of the scan process: 00:46:30

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\user\.housecall\Quarantine\!update.exe.bac_a03772 Infected: Trojan-Downloader.Win32.PurityScan.co skipped
C:\Documents and Settings\user\.housecall\Quarantine\aupdate.exe.bac_a00500 Infected: Trojan-Downloader.Win32.Adload.k skipped
C:\Documents and Settings\user\.housecall\Quarantine\backup-20060708-182855-769.dll.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall\Quarantine\eins005.exe.bac_a00500 Infected: Trojan-Downloader.Win32.Adload.k skipped
C:\Documents and Settings\user\.housecall\Quarantine\GS2.exe.bac_a03772/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Documents and Settings\user\.housecall\Quarantine\GS2.exe.bac_a03772/data0002 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Documents and Settings\user\.housecall\Quarantine\GS2.exe.bac_a03772 NSIS: infected - 2 skipped
C:\Documents and Settings\user\.housecall\Quarantine\GS2.exe.bac_a03772 CryptFF.b: infected - 2 skipped
C:\Documents and Settings\user\.housecall\Quarantine\hp100.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall\Quarantine\hp101.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall\Quarantine\hp102.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall\Quarantine\hp103.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall\Quarantine\hp104.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall\Quarantine\hp105.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall\Quarantine\hp106.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall\Quarantine\hp107.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall\Quarantine\hp108.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall\Quarantine\hp109.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall\Quarantine\hp110.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall\Quarantine\iahpneg.exe.bac_a00500 Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\Documents and Settings\user\.housecall\Quarantine\simpole.tlb.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\!update.exe.bac_a03772 Infected: Trojan-Downloader.Win32.PurityScan.co skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\aupdate.exe.bac_a00500 Infected: Trojan-Downloader.Win32.Adload.k skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\backup-20060708-182855-769.dll.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\eins005.exe.bac_a00500 Infected: Trojan-Downloader.Win32.Adload.k skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\GS2.exe.bac_a03772/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\GS2.exe.bac_a03772/data0002 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\GS2.exe.bac_a03772 NSIS: infected - 2 skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\GS2.exe.bac_a03772 CryptFF.b: infected - 2 skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\hp100.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\hp101.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\hp102.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\hp103.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\hp104.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\hp105.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\hp106.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\hp107.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\hp108.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\hp109.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\hp110.tmp.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\iahpneg.exe.bac_a00500 Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\img[1].tiff.bac_a02764 Suspicious: Exploit.Win32.IMG-WMF skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\ldC9AE.tmp.bac_a00384 Infected: not-virus:Hoax.Win32.Renos.dw skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\simpole.tlb.bac_a03772 Infected: Trojan-Downloader.Win32.Zlob.xz skipped
C:\Documents and Settings\user\.housecall6.6\Quarantine\xpupdate.exe.bac_a02764 Infected: not-virus:Hoax.Win32.Renos.fg skipped
C:\Documents and Settings\user\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\user\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\user\Desktop\instructions.doc Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\MSHist012006100620061007\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DF3A16.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DF3AEB.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DF51F7.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~WRF0000.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\user\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\user\UserData\index.dat Object is locked skipped
C:\Microsoft Office\Office\Startup\PDFMaker.dot Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\USER-KNB88M16GH.ldb Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT00cd2.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT00cd5.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#8 slypieguy

slypieguy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 06 October 2006 - 06:12 PM

Also, I am still getting the popups caused by the spyware/virus. (they are always the same format so I know they are not from websites or whatever).

#9 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:14 AM

Posted 06 October 2006 - 08:46 PM

Hi,
I see you have ZoneAlarm for firewall, which is good, but I can't see any resident antivirus software on your system. That's absolutely suicidal in virtual world. I don't know if your windows is updated and patched either. This infection usually affects the systems which are not patched for WMF vulnerability. You are still infected with this resilient variety of the rootkit. Unfortunately, this rootkit, depending on the download, prevents the running of the known rootkit tools and hides itselft from scanners. Let's try the following:

Please download and install one of the free-for- personal use antivirus programs below. Update it and run a full system scan. Let it clean whatever it finds.

AVG Free here
AntiVir here
Avast here

Then, download Rootkit Revealer. Make sure that you are logged in as an Administrator to the computer for this scan.
  • Create a folder Rootkit Revealer in the following location C:\
  • Unzip to this folder.
  • Close ALL other open programmes, files and folders and disconnect from the internet. Close down all scheduling/updating + running background tasks, etc. Physically unplug the cable from PC to the internet connection..
  • Click on RootkitRevealer.exe to launch the programme.
  • Click Scan, and allow it to scan your computer.

You may get a warning from your protection systems that a new service is being installed, this will have a random name, and is generated by Rootkit revealer, allow it please.

IMPORTANT: other than to allow the above event, do not touch your computer while the scan is running, as this will generate false reports.

When the scan is finished, click File > Save, and save RootkitRevealer.txt to your C:\Rootkit Revealer folder.

Copy the log to your next post please.

============================================

Let's also try the following scan in Safe Mode:

http://www.bitdefender.com/scan8/ie.html

=============================================

I see some unusual paths like

C:\fixwareout\AVG\guard.exe

Did you knowingly save AVG in fixwareout folder, which is a tool for wareout infection ?

=============================================

Prevx still would not run in safe mode

Does it run in Normal Mode?

==============================================

Kaspersky is still flagging Kazaa and Morpheus. As long as you keep them, I don't see any point in trying to clean your computer.

==============================================

Please post back the results of the

Rootkit Revealer
Bitdefender scan
and a fresh HijackThis log

#10 slypieguy

slypieguy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 07 October 2006 - 05:57 PM

To address your previous questions, prevx does not run in normal mode either. I don't know why morpheus and kazaa still showed up, I uninstalled them and deleted all files left from them after the uninstall. And yes I knowingly saved stuff into the Fixwareout folder, I thought I would just put all stuff suggested from this forum into one folder for convenience.

For the new stuff, I downloaded AntiVir and ran it. The log is below. I followed your instructions of closing everything and ending all background processes, but the rookit revealer would not run in normal or safe mode. The bitdefender link seems to be broken (I couldn't access it on my laptop either). Here are the logs from AntiVir and Hijack:

AntiVir PersonalEdition Classic
Report file date: Saturday, October 07, 2006 16:44

Scanning for 495093 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-WURGE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: user
Computer name: USER-KNB88M16GH

Version information:
AVSCAN.EXE : 7.0.0.47 200744 8/21/2006 16:06:56
AVSCAN.DLL : 7.0.0.45 41000 9/7/2006 16:56:33
LUKE.DLL : 7.0.0.47 118824 9/7/2006 16:32:33
LUKERES.DLL : 7.0.0.47 9256 9/7/2006 16:56:33
ANTIVIR0.VDF : 6.35.0.1 7371264 5/31/2006 16:35:27
ANTIVIR1.VDF : 6.36.0.9 1424384 9/6/2006 13:12:24
ANTIVIR2.VDF : 6.36.0.10 2048 9/6/2006 13:12:26
ANTIVIR3.VDF : 6.36.0.11 2048 9/6/2006 13:12:28
AVEWIN32.DLL : 7.2.0.14 1827328 9/4/2006 20:23:26
AVPREF.DLL : 7.0.0.2 23592 7/24/2006 18:36:04
AVREP.DLL : 6.36.0.3 794664 9/6/2006 14:04:08
AVRPBASE.DLL : 7.0.0.0 2162728 3/30/2006 14:43:31
AVPACK32.DLL : 7.2.0.0 368680 7/21/2006 12:00:28
AVREG.DLL : 6.31.0.90 27688 7/28/2005 16:06:36
NETNT.DLL : 6.32.0.0 6696 9/27/2005 13:56:49
NETNW.DLL : 7.0.0.0 9768 7/24/2006 18:35:55
RCIMAGE.DLL : 7.0.0.74 1642536 8/1/2006 17:22:57
RCTEXT.DLL : 7.0.0.107 77864 9/7/2006 16:56:32

Configuration settings for the scan:
Jobname.......................: Local Hard Disks
Configuration file............: C:\Program Files\AntiVir PersonalEdition Classic\alldiscs.avp
Boot sectors..................: C
Scan memory...................: 1
Process scan..................: 1
Scan all files................: 2
Scan archives.................: 1
Recursion depth...............: 20
Smart extensions..............: 1
Macro heuristic...............: 1
File heuristic................: 0
Primary action................: 1
Secondary action..............: 0

Start of the scan: Saturday, October 07, 2006 16:44


The scan of running processes will be started
10 Processes were scanned

Start scanning boot sectors:

Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( 11 files ).


Starting the file scan:

C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\user\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\user\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\user\Local Settings\Temp\~DF507D.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\user\Local Settings\Temp\~DF5156.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\user\Local Settings\Temp\~DFDDB9.tmp
[WARNING] The file could not be opened!
C:\WINDOWS\system32\VB1.exe
[DETECTION] Contains signature of the dropper DR/VirtualBouncer.J.7
[INFO] The file was deleted!
C:\WINDOWS\system32\config\default
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\default.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SAM
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SAM.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SECURITY
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SECURITY.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\software
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\software.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\system
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\system.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\Temp\ZLT034a8.TMP
[WARNING] The file could not be opened!
C:\WINDOWS\Temp\ZLT07966.TMP
[WARNING] The file could not be opened!


End of the scan: Saturday, October 07, 2006 18:17
Used time: 1:32:52 min

The scan has been done completely.

4646 Scanning directories
194415 Files were scanned
1 viruses and/or unwanted programs were found
1 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
1561 Archives were scanned
29 Warnings
1 Notes






Logfile of HijackThis v1.99.1
Scan saved at 6:50:40 PM, on 10/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PopupKiller\killer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\ZoneAlarm\zlclient.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\AIM\aim.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\fixwareout\AVG\guard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Adobe\Acrobat\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {71A97312-8C68-8468-135A-D25EF518556C} - C:\WINDOWS\lypki1.dll (file missing)
O4 - HKLM\..\Run: [aiepk] C:\PopupKiller\killer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Zone Labs Client] "C:\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AIM] C:\AIM\aim.exe -cnetwait.odl
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.org/LSACD_XMLWebServices/...iveX/ofmctl.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v51/h2hpool/h2hpool.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\fixwareout\AVG\guard.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Sorry we don't seem to be making much progress. Thanks for your continuing efforts. This thing is really slowing down my CPU speed so I hope we can get it somehow. It seems like everything is running at about half speed.

Edited by slypieguy, 07 October 2006 - 05:58 PM.


#11 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:14 AM

Posted 08 October 2006 - 06:50 AM

Hi Slypieguy,

To address your previous questions, prevx does not run in normal mode either

That's not good news.

the rookit revealer would not run in normal or safe mode

That's bad news too.

The bitdefender link seems to be broken

I don't have any problem accessing the link from here. It may again be the rootkit preventing it.

Sorry we don't seem to be making much progress. Thanks for your continuing efforts.

You're right :thumbsup: , and no problem. I don't know if we can get it. I am loosing my hope.

Ok, firstly, all of the programs you linked for me (except the web browser scanner) I was unable to access, I am guessing due to the virus, it made them broken links. So I accessed them on my laptop and emailed the files to myself. Then, for each program, when I tried to run them nothing happened. I tried in safe mode as well multiple times with the same result. Also, to answer your question, I am getting some popups, and it is very obvious they are caused by the spyware/virus, not by the webpages I am visiting. I am more noticing a decrease in computer/internet speed than anything else. Since none of the fixer programs ran, I don't think the hijack this log has changed any, but here it is anyway:


I am afraid the system is severely compromised. I believe it may be best if you opt for a reformat and reinstall. Some experts have been recommending that and based on what I read and see, in this case particularly, I agree with them. However, I'll ask the experts if there is anything else they may recommend.

In the meantime,even if we manage to clean the malware, you can still get errors afterwards because of the damage and solving them will not be easy if at all possible. You are dealing with a very nasty malware...

These allow hackers to remotely control your computer, steal critical system information and Download and Execute files.

I would recommend you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
=====================================

Edited by amateur, 08 October 2006 - 07:30 AM.


#12 slypieguy

slypieguy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 08 October 2006 - 08:34 PM

This is starting to seem like more of a hassle than it is worth. I think I will just reformat, I am way overdue for one anyway. Thank you for your attempts to help though.

#13 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:14 AM

Posted 09 October 2006 - 06:58 AM

Hi,

I am sorry we couldn't help you. As I said this is a very nasty infection. Sometimes it's best to reformat and reinstall. If you need help with that, you can visit the XP forum. Good luck.

#14 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:14 AM

Posted 19 October 2006 - 06:47 PM

This thread will now be closed. If you need this topic reopened, please PM me with the address of the thread.and we will reopen it for you. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users