Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trying To Figure Out Pop-ups


  • This topic is locked This topic is locked
49 replies to this topic

#1 nyarlathotep13

nyarlathotep13

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 17 October 2006 - 05:27 PM

i was recently infected with several very serious viruses; i've managed to fix pretty much everything on my own except for that i am occasionally hit by a wave of pop-ups, and, more rarely, but more frustrating, a window pops up effectively saying internet explorer has requested an unusual runtime error, and every internet-related window closes down.


plese help me :thumbsup:


i've downloaded hijack this, and here's my log:


Logfile of HijackThis v1.99.1
Scan saved at 6:08:12 PM, on 10/18/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\System32\lexpps.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - (no file)
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmnext06] C:\WINDOWS\next06.exe
O4 - HKLM\..\Run: [lnfa4530] RUNDLL32.EXE w1515785.dll,n 005a452b000000121515785
O4 - HKLM\..\Run: [ms051481710175] C:\WINDOWS\ms051481710175.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\wawcrw.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://www.google.com/diskless/bin/tgctlcm.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n019p/EN/install/gtdownlr.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab
O20 - AppInit_DLLs:
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:52 AM

Posted 18 October 2006 - 05:53 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 nyarlathotep13

nyarlathotep13
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 18 October 2006 - 09:20 PM

:thumbsup:

....combofix did its thing, saying that it detected qoologic and an inactive look2me. then it said somrthing about attempting to fix these two things. Then it rebooted my computer. Nowhere was a log produced.....


note: this may or may not be relevant, but, after it rebooted my computer, and i logged in, my wallpaper loaded up, but my desktop icons and start bar at the bottom never did appear. taskmanager opened up just fine and said a process cmd.exe was running and taking up about 10% of my cpu.

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:52 AM

Posted 19 October 2006 - 10:44 AM

The log should be located here.

C:\ComboFix.txt
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 nyarlathotep13

nyarlathotep13
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 19 October 2006 - 11:19 PM

okay, i just didn't think to look there is all....

Administrator - 06-10-19 21:35:03.68 Service Pack 1
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Administrator\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\lv4u09h9e.dll
C:\WINDOWS\system32\mysystem.dll


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


O4 - HKLM\...\Run C:\WINDOWS\System32\wawcrw.exe


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-10-17 16:01 199168 wawcrw.exe.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\offun.exe
C:\WINDOWS\system32\adrotate.dll
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\WINDOWS\system32\dmonwv.dll

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\Common Files\YMBOLS~1
C:\QooBox\Purity\Program Files\Common Files\YMBOLS~1\dllhost.exe
C:\QooBox\Purity\Program Files\Common Files\YMBOLS~1\?ymbols


((((((((((((((((((((((((((((((( Files Created from 2006-09-19 to 2006-10-19 ))))))))))))))))))))))))))))))))))


2006-10-19 18:11 98,324 --a------ C:\WINDOWS\system32\igtsdvan.dll
2006-10-17 22:34 98,324 --a------ C:\WINDOWS\system32\imeopetl.dll
2006-10-17 22:33 499,428 ---hs---- C:\WINDOWS\system32\xycdd.ini2
2006-10-17 16:01 73,216 --a------ C:\WINDOWS\system32\epenpea.dll
2006-10-17 16:01 499,262 ---hs---- C:\WINDOWS\system32\xycdd.bak2
2006-10-17 16:01 432 --a------ C:\WINDOWS\rpriy.dll
2006-10-17 16:01 29,184 --a------ C:\WINDOWS\system32\fvfddfc.exe
2006-10-17 16:01 12,288 --a------ C:\WINDOWS\system32\fmfwr.dll
2006-10-13 21:58 24,296 --a------ C:\WINDOWS\icont.exe
2006-10-13 21:43 647,824 -r-hs---- C:\WINDOWS\obanhhbA.exe
2006-10-13 20:03 2,855 --a------ C:\WINDOWS\system32\command.PIF
2006-10-12 18:00 234,272 --------- C:\WINDOWS\system32\jtj4071qe.dll
2006-10-12 17:33 684,084 ---hs---- C:\WINDOWS\system32\ddcyx.dll
2006-10-12 17:33 441,149 ---hs---- C:\WINDOWS\system32\xycdd.bak1
2006-10-11 21:33 417,792 -r--s---- C:\WINDOWS\system32\gpjml3111.dll
2006-10-11 21:33 131,072 --a------ C:\WINDOWS\system32\lcawft.dll
2006-10-11 21:32 518,784 -r-hs---- C:\WINDOWS\obanhhb.exe
2006-10-11 21:31 40,973 ---hs---- C:\WINDOWS\system32\xxywtqr.dll
2006-10-11 16:49 18,474 --a------ C:\WINDOWS\system32\ascuth.dll
2006-10-06 16:36 111,270 --a------ C:\WINDOWS\system32\Eim03.exe
2006-10-06 14:15 97,433 --a------ C:\WINDOWS\system32\traffic_solution_new.exe
2006-10-02 20:49 69,632 --a------ C:\WINDOWS\system32\xmltok.dll
2006-10-02 20:49 36,864 --a------ C:\WINDOWS\system32\xmlparse.dll
2006-10-02 20:49 26,064 --a------ C:\WINDOWS\system32\xmlinst.exe
2006-10-02 20:49 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2006-09-28 19:24 75,264 --a------ C:\WINDOWS\system32\nscDB.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-19 21:54 -------- d-------- C:\Program Files\Common Files
2006-10-19 18:06 -------- d-------- C:\Program Files\HijackThis
2006-10-13 22:57 -------- d-------- C:\Program Files\AVPersonal
2006-10-13 16:44 -------- d-------- C:\Program Files\Windows Media Player
2006-10-13 16:44 -------- d-------- C:\Program Files\Real Alternative
2006-10-13 16:44 -------- d-------- C:\Program Files\Movie Maker
2006-10-13 16:44 -------- d-------- C:\Program Files\Messenger
2006-10-13 16:44 -------- d-------- C:\Program Files\FaxTools
2006-10-12 18:27 -------- d-------- C:\Program Files\ComPlus Applications
2006-10-12 17:34 -------- d-------- C:\Program Files\QuickTime
2006-10-12 17:34 -------- d-------- C:\Program Files\iTunes
2006-10-12 17:34 -------- d-------- C:\Program Files\Dell AIO Printer A940
2006-10-12 17:28 25600 --a------ C:\WINDOWS\system32\NeroCheck.exe
2006-10-12 17:28 25600 --a------ C:\WINDOWS\system32\igfxtray.exe
2006-10-12 17:28 25600 --a------ C:\WINDOWS\system32\hkcmd.exe
2006-10-11 21:32 -------- d-------- C:\Program Files\Windows NT
2006-10-02 23:11 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-19 19:21 -------- d-------- C:\Documents and Settings\Administrator\Application Data\IMVU
2006-09-15 23:15 -------- d-------- C:\Documents and Settings\Administrator\Application Data\MP3Rocket
2006-09-15 17:21 53248 --a------ C:\WINDOWS\uninst108.exe
2006-09-15 17:16 53248 --a------ C:\WINDOWS\uni_e6h.exe
2006-09-06 22:39 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Creative
2006-09-05 15:28 -------- d-------- C:\Program Files\Creative
2006-08-31 22:30 -------- d-------- C:\Program Files\MP3 Rocket
2006-08-31 00:04 -------- d-------- C:\Documents and Settings\Administrator\Application Data\IGN_DLM
2006-08-30 19:01 -------- d-------- C:\Program Files\IGN


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Dell AIO Printer A940"="\"C:\\Program Files\\Dell AIO Printer A940\\dlbabmgr.exe\""
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_01\\bin\\jusched.exe"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"mmnext06"="C:\\WINDOWS\\next06.exe"
"lnfa4530"="RUNDLL32.EXE w1515785.dll,n 005a452b000000121515785"
"ms051481710175"="C:\\WINDOWS\\ms051481710175.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mimboot"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mimboot.exe"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyx

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-19 21:59:52.81
C:\ComboFix.txt ... 06-10-19 21:59

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:52 AM

Posted 20 October 2006 - 08:02 AM

Click Start -> Run
Copy the command below and paste it into the Run box and click Ok.

"%userprofile%\desktop\combofix.exe" /v ddcyx

When it's done running it will produce a log for you. Please post that log in your next reply.


============



Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\system32\igtsdvan.dll
    C:\WINDOWS\system32\imeopetl.dll
    C:\WINDOWS\system32\epenpea.dll
    C:\WINDOWS\rpriy.dll
    C:\WINDOWS\system32\fvfddfc.exe
    C:\WINDOWS\system32\fmfwr.dll
    C:\WINDOWS\icont.exe
    C:\WINDOWS\obanhhbA.exe
    C:\WINDOWS\system32\command.PIF
    C:\WINDOWS\system32\jtj4071qe.dll
    C:\WINDOWS\system32\gpjml3111.dll
    C:\WINDOWS\system32\lcawft.dll
    C:\WINDOWS\obanhhb.exe
    C:\WINDOWS\system32\xxywtqr.dll
    C:\WINDOWS\system32\ascuth.dll
    C:\WINDOWS\system32\Eim03.exe
    C:\WINDOWS\system32\traffic_solution_new.exe



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
=============



Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
=============



Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 nyarlathotep13

nyarlathotep13
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 20 October 2006 - 11:24 AM

okay, done.
note:Killbox did NOT make any sort of PendingFileRenameOperations Prompt
here are your logs:


ComboFix
Administrator - 06-10-19 21:35:03.68 Service Pack 1
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Administrator\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\lv4u09h9e.dll
C:\WINDOWS\system32\mysystem.dll


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


O4 - HKLM\...\Run C:\WINDOWS\System32\wawcrw.exe


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-10-17 16:01 199168 wawcrw.exe.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\offun.exe
C:\WINDOWS\system32\adrotate.dll
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\WINDOWS\system32\dmonwv.dll

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\Common Files\YMBOLS~1
C:\QooBox\Purity\Program Files\Common Files\YMBOLS~1\dllhost.exe
C:\QooBox\Purity\Program Files\Common Files\YMBOLS~1\?ymbols


((((((((((((((((((((((((((((((( Files Created from 2006-09-19 to 2006-10-19 ))))))))))))))))))))))))))))))))))


2006-10-19 18:11 98,324 --a------ C:\WINDOWS\system32\igtsdvan.dll
2006-10-17 22:34 98,324 --a------ C:\WINDOWS\system32\imeopetl.dll
2006-10-17 22:33 499,428 ---hs---- C:\WINDOWS\system32\xycdd.ini2
2006-10-17 16:01 73,216 --a------ C:\WINDOWS\system32\epenpea.dll
2006-10-17 16:01 499,262 ---hs---- C:\WINDOWS\system32\xycdd.bak2
2006-10-17 16:01 432 --a------ C:\WINDOWS\rpriy.dll
2006-10-17 16:01 29,184 --a------ C:\WINDOWS\system32\fvfddfc.exe
2006-10-17 16:01 12,288 --a------ C:\WINDOWS\system32\fmfwr.dll
2006-10-13 21:58 24,296 --a------ C:\WINDOWS\icont.exe
2006-10-13 21:43 647,824 -r-hs---- C:\WINDOWS\obanhhbA.exe
2006-10-13 20:03 2,855 --a------ C:\WINDOWS\system32\command.PIF
2006-10-12 18:00 234,272 --------- C:\WINDOWS\system32\jtj4071qe.dll
2006-10-12 17:33 684,084 ---hs---- C:\WINDOWS\system32\ddcyx.dll
2006-10-12 17:33 441,149 ---hs---- C:\WINDOWS\system32\xycdd.bak1
2006-10-11 21:33 417,792 -r--s---- C:\WINDOWS\system32\gpjml3111.dll
2006-10-11 21:33 131,072 --a------ C:\WINDOWS\system32\lcawft.dll
2006-10-11 21:32 518,784 -r-hs---- C:\WINDOWS\obanhhb.exe
2006-10-11 21:31 40,973 ---hs---- C:\WINDOWS\system32\xxywtqr.dll
2006-10-11 16:49 18,474 --a------ C:\WINDOWS\system32\ascuth.dll
2006-10-06 16:36 111,270 --a------ C:\WINDOWS\system32\Eim03.exe
2006-10-06 14:15 97,433 --a------ C:\WINDOWS\system32\traffic_solution_new.exe
2006-10-02 20:49 69,632 --a------ C:\WINDOWS\system32\xmltok.dll
2006-10-02 20:49 36,864 --a------ C:\WINDOWS\system32\xmlparse.dll
2006-10-02 20:49 26,064 --a------ C:\WINDOWS\system32\xmlinst.exe
2006-10-02 20:49 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2006-09-28 19:24 75,264 --a------ C:\WINDOWS\system32\nscDB.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-19 21:54 -------- d-------- C:\Program Files\Common Files
2006-10-19 18:06 -------- d-------- C:\Program Files\HijackThis
2006-10-13 22:57 -------- d-------- C:\Program Files\AVPersonal
2006-10-13 16:44 -------- d-------- C:\Program Files\Windows Media Player
2006-10-13 16:44 -------- d-------- C:\Program Files\Real Alternative
2006-10-13 16:44 -------- d-------- C:\Program Files\Movie Maker
2006-10-13 16:44 -------- d-------- C:\Program Files\Messenger
2006-10-13 16:44 -------- d-------- C:\Program Files\FaxTools
2006-10-12 18:27 -------- d-------- C:\Program Files\ComPlus Applications
2006-10-12 17:34 -------- d-------- C:\Program Files\QuickTime
2006-10-12 17:34 -------- d-------- C:\Program Files\iTunes
2006-10-12 17:34 -------- d-------- C:\Program Files\Dell AIO Printer A940
2006-10-12 17:28 25600 --a------ C:\WINDOWS\system32\NeroCheck.exe
2006-10-12 17:28 25600 --a------ C:\WINDOWS\system32\igfxtray.exe
2006-10-12 17:28 25600 --a------ C:\WINDOWS\system32\hkcmd.exe
2006-10-11 21:32 -------- d-------- C:\Program Files\Windows NT
2006-10-02 23:11 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-19 19:21 -------- d-------- C:\Documents and Settings\Administrator\Application Data\IMVU
2006-09-15 23:15 -------- d-------- C:\Documents and Settings\Administrator\Application Data\MP3Rocket
2006-09-15 17:21 53248 --a------ C:\WINDOWS\uninst108.exe
2006-09-15 17:16 53248 --a------ C:\WINDOWS\uni_e6h.exe
2006-09-06 22:39 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Creative
2006-09-05 15:28 -------- d-------- C:\Program Files\Creative
2006-08-31 22:30 -------- d-------- C:\Program Files\MP3 Rocket
2006-08-31 00:04 -------- d-------- C:\Documents and Settings\Administrator\Application Data\IGN_DLM
2006-08-30 19:01 -------- d-------- C:\Program Files\IGN


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Dell AIO Printer A940"="\"C:\\Program Files\\Dell AIO Printer A940\\dlbabmgr.exe\""
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_01\\bin\\jusched.exe"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"mmnext06"="C:\\WINDOWS\\next06.exe"
"lnfa4530"="RUNDLL32.EXE w1515785.dll,n 005a452b000000121515785"
"ms051481710175"="C:\\WINDOWS\\ms051481710175.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mimboot"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mimboot.exe"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyx

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-19 21:59:52.81
C:\ComboFix.txt ... 06-10-19 21:59


Killbox
Pocket Killbox version 2.0.0.881
Running on Windows XP as Administrator(Administrator)
was started @ Saturday, October 21, 2006, 11:07 AM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\igtsdvan.dll


# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\imeopetl.dll


# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\epenpea.dll


# 4 [Delete on Reboot]
Path = C:\WINDOWS\rpriy.dll


# 5 [Delete on Reboot]
Path = C:\WINDOWS\system32\fvfddfc.exe


# 6 [Delete on Reboot]
Path = C:\WINDOWS\system32\fmfwr.dll


# 7 [Delete on Reboot]
Path = C:\WINDOWS\icont.exe


# 8 [Delete on Reboot]
Path = C:\WINDOWS\obanhhbA.exe


# 9 [Delete on Reboot]
Path = C:\WINDOWS\system32\command.PIF


# 10 [Delete on Reboot]
Path = C:\WINDOWS\system32\jtj4071qe.dll


# 11 [Delete on Reboot]
Path = C:\WINDOWS\system32\gpjml3111.dll


# 12 [Delete on Reboot]
Path = C:\WINDOWS\system32\lcawft.dll


# 13 [Delete on Reboot]
Path = C:\WINDOWS\obanhhb.exe


# 14 [Delete on Reboot]
Path = C:\WINDOWS\system32\xxywtqr.dll


# 15 [Delete on Reboot]
Path = C:\WINDOWS\system32\ascuth.dll


# 16 [Delete on Reboot]
Path = C:\WINDOWS\system32\Eim03.exe


# 17 [Delete on Reboot]
Path = C:\WINDOWS\system32\traffic_solution_new.exe


I Rebooted @ 11:09:34 AM
Killbox Closed(Exit) @ 11:09:36 AM
__________________________________________________

Pocket Killbox version 2.0.0.881
Running on Windows XP as Administrator(Administrator)
was started @ Saturday, October 21, 2006, 11:12 AM



Panda ActiveScan

Incident Status Location

Adware:Adware/QoolAid Not disinfected c:\windows\system32\wawcrw.exe
Virus:Trj/Lowzones.SY Disinfected Operating system




HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 12:06:55 PM, on 10/21/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\HijackThis\hijjakme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\System32\kmmhebly.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\wawcrw.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://www.google.com/diskless/bin/tgctlcm.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n019p/EN/install/gtdownlr.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs:
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

Edited by nyarlathotep13, 20 October 2006 - 11:26 AM.


#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:52 AM

Posted 21 October 2006 - 05:28 PM

Use Killbox to delete these files.

c:\windows\system32\wawcrw.exe
C:\WINDOWS\System32\kmmhebly.dll



============


Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\System32\kmmhebly.dll
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\wawcrw.exe reg_run
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O20 - AppInit_DLLs:



===========


Reboot your computer.

The Combofix log you posted was the same one from before. Look for C:\Combofix2.txt
Also post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 nyarlathotep13

nyarlathotep13
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 23 October 2006 - 04:58 PM

O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\System32\kmmhebly.dll did not appear when i ran HJT - i assume because i just deleted it with Killbox...

And, when i ran HJT, checked the files you told me to, and clicked Fix Checked, it ran for about two seconds, then a window popped up that said;

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: )
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2800.1106
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.




i share my computer, and my roommate deleted all my previous combofix logs because he's an idiot, so i can't give you the previous log, but i just ran it again, and here's the new log

Administrator - 06-10-24 17:09:59.54 Service Pack 1
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Administrator\My Documents"

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


O4 - HKLM\...\Run C:\WINDOWS\System32\wawcrw.exe


* * * PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\system32\epenpea.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\xzxj.exe
C:\WINDOWS\system32\fvfddfc.exe
C:\WINDOWS\rpriy.dll
C:\WINDOWS\system32\pupkb.dat
C:\WINDOWS\system32\fmfwr.dll


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-10-24 17:08 73216 epenpea.dll.qoo
06-10-24 17:08 29184 fvfddfc.exe.qoo
06-10-24 17:08 12288 fmfwr.dll.qoo
06-10-24 17:08 386 rpriy.dll.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


((((((((((((((((((((((((((((((( Files Created from 2006-09-24 to 2006-10-24 ))))))))))))))))))))))))))))))))))


2006-10-24 17:08 199,168 --a------ C:\WINDOWS\system32\wawcrw.exe
2006-10-21 00:07 98,324 --a------ C:\WINDOWS\system32\bfmnmaoe.dll
2006-10-20 14:15 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2006-10-02 20:49 69,632 --a------ C:\WINDOWS\system32\xmltok.dll
2006-10-02 20:49 36,864 --a------ C:\WINDOWS\system32\xmlparse.dll
2006-10-02 20:49 26,064 --a------ C:\WINDOWS\system32\xmlinst.exe
2006-10-02 20:49 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2006-09-28 19:24 75,264 --a------ C:\WINDOWS\system32\nscDB.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-24 17:06 -------- d-------- C:\Program Files\HijackThis
2006-10-21 14:29 -------- d-------- C:\Program Files\AVPersonal
2006-10-21 12:00 -------- d-------- C:\Program Files\QuickTime
2006-10-21 12:00 -------- d-------- C:\Program Files\Messenger
2006-10-20 18:18 -------- d-------- C:\Program Files\Common Files\WinAntiVirus Pro 2006
2006-10-20 14:15 -------- d-------- C:\Program Files\Common Files
2006-10-20 14:15 -------- d-------- C:\Documents and Settings\Administrator\Application Data\WinAntiVirus Pro 2006
2006-10-20 14:13 -------- d-------- C:\Documents and Settings\Administrator\Application Data\SearchToolbarCorp
2006-10-13 16:44 -------- d-------- C:\Program Files\Windows Media Player
2006-10-13 16:44 -------- d-------- C:\Program Files\Real Alternative
2006-10-13 16:44 -------- d-------- C:\Program Files\Movie Maker
2006-10-13 16:44 -------- d-------- C:\Program Files\FaxTools
2006-10-12 18:27 -------- d-------- C:\Program Files\ComPlus Applications
2006-10-12 17:34 -------- d-------- C:\Program Files\iTunes
2006-10-12 17:34 -------- d-------- C:\Program Files\Dell AIO Printer A940
2006-10-12 17:28 25600 --a------ C:\WINDOWS\system32\NeroCheck.exe
2006-10-12 17:28 25600 --a------ C:\WINDOWS\system32\igfxtray.exe
2006-10-12 17:28 25600 --a------ C:\WINDOWS\system32\hkcmd.exe
2006-10-11 21:32 -------- d-------- C:\Program Files\Windows NT
2006-10-02 23:11 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-19 19:21 -------- d-------- C:\Documents and Settings\Administrator\Application Data\IMVU
2006-09-15 23:15 -------- d-------- C:\Documents and Settings\Administrator\Application Data\MP3Rocket
2006-09-15 17:21 53248 --a------ C:\WINDOWS\uninst108.exe
2006-09-15 17:16 53248 --a------ C:\WINDOWS\uni_e6h.exe
2006-09-06 22:39 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Creative
2006-09-05 15:28 -------- d-------- C:\Program Files\Creative
2006-08-31 22:30 -------- d-------- C:\Program Files\MP3 Rocket
2006-08-31 00:04 -------- d-------- C:\Documents and Settings\Administrator\Application Data\IGN_DLM
2006-08-30 19:01 -------- d-------- C:\Program Files\IGN


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Dell AIO Printer A940"="\"C:\\Program Files\\Dell AIO Printer A940\\dlbabmgr.exe\""
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_01\\bin\\jusched.exe"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mimboot"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mimboot.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061024-170637-613
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
backup-20061024-170637-521
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
backup-20061024-170637-438
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
backup-20061024-170637-218
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\wawcrw.exe reg_run
Completion time: 06-10-24 17:15:53.82
C:\ComboFix.txt ... 06-10-24 17:15



Hijack This

Logfile of HijackThis v1.99.1
Scan saved at 5:18:10 PM, on 10/24/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\lexpps.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.391\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\wawcrw.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://www.google.com/diskless/bin/tgctlcm.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n019p/EN/install/gtdownlr.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:52 AM

Posted 23 October 2006 - 05:38 PM

Please download Qoofix by Rubber Ducky to your desktop.
  • Right click on the Qoofix folder, and choose "Extract All". Extract Qoofix to your C: drive
  • Close all windows and programs, including internet windows.
  • Go to C:\Qoofix and open the folder, then double click on Qoofix.exe
  • Click Begin Removal and wait for the scan to finish
  • If Qoofix finds an infection, select yes to restart your computer
  • You will now find a log from this tool, located at C:\Qoofix\Qoofix Logfile.txt Copy and paste the contents of that report into your next reply here.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 nyarlathotep13

nyarlathotep13
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 23 October 2006 - 09:11 PM

Qoofix v1.03 by http://www.malwarebytes.org
Scan started on [10/24/2006] at [9:59:41 PM]
-------------------------------------------------------------
No malicious modules found!
-------------------------------------------------------------
No Qoologic infected files found!
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [10/24/2006] at [10:00:19 PM]

Note: Some registry keys may have been removed.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:52 AM

Posted 24 October 2006 - 07:47 AM

Fix this line with Hijackthis, if still present.

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\wawcrw.exe reg_run


==============


Use Killbox to delete these files on reboot.

C:\WINDOWS\system32\wawcrw.exe
C:\WINDOWS\system32\bfmnmaoe.dll



==============


Please post a new log from Combofix.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 nyarlathotep13

nyarlathotep13
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 24 October 2006 - 05:54 PM

"O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\wawcrw.exe reg_run" was not listed in the Hijackthis Log




Administrator - 06-10-24 17:09:59.54 Service Pack 1
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Administrator\My Documents"

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


O4 - HKLM\...\Run C:\WINDOWS\System32\wawcrw.exe


* * * PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\system32\epenpea.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\xzxj.exe
C:\WINDOWS\system32\fvfddfc.exe
C:\WINDOWS\rpriy.dll
C:\WINDOWS\system32\pupkb.dat
C:\WINDOWS\system32\fmfwr.dll


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-10-24 17:08 73216 epenpea.dll.qoo
06-10-24 17:08 29184 fvfddfc.exe.qoo
06-10-24 17:08 12288 fmfwr.dll.qoo
06-10-24 17:08 386 rpriy.dll.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


((((((((((((((((((((((((((((((( Files Created from 2006-09-24 to 2006-10-24 ))))))))))))))))))))))))))))))))))


2006-10-24 17:08 199,168 --a------ C:\WINDOWS\system32\wawcrw.exe
2006-10-21 00:07 98,324 --a------ C:\WINDOWS\system32\bfmnmaoe.dll
2006-10-20 14:15 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2006-10-02 20:49 69,632 --a------ C:\WINDOWS\system32\xmltok.dll
2006-10-02 20:49 36,864 --a------ C:\WINDOWS\system32\xmlparse.dll
2006-10-02 20:49 26,064 --a------ C:\WINDOWS\system32\xmlinst.exe
2006-10-02 20:49 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2006-09-28 19:24 75,264 --a------ C:\WINDOWS\system32\nscDB.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-24 17:06 -------- d-------- C:\Program Files\HijackThis
2006-10-21 14:29 -------- d-------- C:\Program Files\AVPersonal
2006-10-21 12:00 -------- d-------- C:\Program Files\QuickTime
2006-10-21 12:00 -------- d-------- C:\Program Files\Messenger
2006-10-20 18:18 -------- d-------- C:\Program Files\Common Files\WinAntiVirus Pro 2006
2006-10-20 14:15 -------- d-------- C:\Program Files\Common Files
2006-10-20 14:15 -------- d-------- C:\Documents and Settings\Administrator\Application Data\WinAntiVirus Pro 2006
2006-10-20 14:13 -------- d-------- C:\Documents and Settings\Administrator\Application Data\SearchToolbarCorp
2006-10-13 16:44 -------- d-------- C:\Program Files\Windows Media Player
2006-10-13 16:44 -------- d-------- C:\Program Files\Real Alternative
2006-10-13 16:44 -------- d-------- C:\Program Files\Movie Maker
2006-10-13 16:44 -------- d-------- C:\Program Files\FaxTools
2006-10-12 18:27 -------- d-------- C:\Program Files\ComPlus Applications
2006-10-12 17:34 -------- d-------- C:\Program Files\iTunes
2006-10-12 17:34 -------- d-------- C:\Program Files\Dell AIO Printer A940
2006-10-12 17:28 25600 --a------ C:\WINDOWS\system32\NeroCheck.exe
2006-10-12 17:28 25600 --a------ C:\WINDOWS\system32\igfxtray.exe
2006-10-12 17:28 25600 --a------ C:\WINDOWS\system32\hkcmd.exe
2006-10-11 21:32 -------- d-------- C:\Program Files\Windows NT
2006-10-02 23:11 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-19 19:21 -------- d-------- C:\Documents and Settings\Administrator\Application Data\IMVU
2006-09-15 23:15 -------- d-------- C:\Documents and Settings\Administrator\Application Data\MP3Rocket
2006-09-15 17:21 53248 --a------ C:\WINDOWS\uninst108.exe
2006-09-15 17:16 53248 --a------ C:\WINDOWS\uni_e6h.exe
2006-09-06 22:39 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Creative
2006-09-05 15:28 -------- d-------- C:\Program Files\Creative
2006-08-31 22:30 -------- d-------- C:\Program Files\MP3 Rocket
2006-08-31 00:04 -------- d-------- C:\Documents and Settings\Administrator\Application Data\IGN_DLM
2006-08-30 19:01 -------- d-------- C:\Program Files\IGN


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Dell AIO Printer A940"="\"C:\\Program Files\\Dell AIO Printer A940\\dlbabmgr.exe\""
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_01\\bin\\jusched.exe"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mimboot"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mimboot.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061024-170637-613
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
backup-20061024-170637-521
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
backup-20061024-170637-438
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
backup-20061024-170637-218
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\wawcrw.exe reg_run
Completion time: 06-10-24 17:15:53.82
C:\ComboFix.txt ... 06-10-24 17:15

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:52 AM

Posted 24 October 2006 - 08:30 PM

Those files are still showing up in your log.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:

C:\WINDOWS\system32\wawcrw.exe
C:\WINDOWS\system32\bfmnmaoe.dll



Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.



3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 nyarlathotep13

nyarlathotep13
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 24 October 2006 - 09:00 PM

wawcrw.exe is still showing up......



Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\hpjnfkhf

*******************

Script file located at: \??\C:\WINDOWS\System32\jgkkkoth.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\wawcrw.exe deleted successfully.


File C:\WINDOWS\system32\bfmnmaoe.dll not found!
Deletion of file C:\WINDOWS\system32\bfmnmaoe.dll failed!

Could not process line:
C:\WINDOWS\system32\bfmnmaoe.dll
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.








Logfile of HijackThis v1.99.1
Scan saved at 9:49:23 PM, on 10/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\hijjakme.exe

O2 - BHO: (no name) - {70419146-be6f-4a45-972e-67a58c8717d8} - C:\WINDOWS\system32\iuen71u.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\wawcrw.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://www.google.com/diskless/bin/tgctlcm.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n019p/EN/install/gtdownlr.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab
O20 - Winlogon Notify: iuen71u - C:\WINDOWS\SYSTEM32\iuen71u.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users