Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Logs


  • This topic is locked This topic is locked
21 replies to this topic

#1 kanganova

kanganova

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 06 November 2006 - 11:31 PM

tried scaning with ad-aware, spybot, AVS on safe mode
..cant seem to get rip of it.

Please help me guide to delete this

Logfile of HijackThis v1.99.1
Scan saved at 7:12:58 PM, on 11/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\lvhidsvc.exe
C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
C:\Program Files\802.11 Wireless LAN\USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\DU Meter\DUMETER.EXE
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\!!!Downloads\HijackThis199.exe

R3 - URLSearchHook: (no name) - {EC709B81-586E-55B8-46E3-57C0DB5D5396} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\system32\ipv6mons.dll
O2 - BHO: (no name) - {983443E1-740B-4EC3-AE9F-7CEF08DBF408} - C:\Program Files\WindowsUpdate\hozemod.dll (file missing)
O2 - BHO: Iconizer - {AA1A4F83-B4AC-4859-8C91-21DBE6C5625B} - C:\WINDOWS\system32\nodeipproc.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - Startup: DU Meter (2).lnk = C:\Program Files\DU Meter\DUMETER.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Games\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Games\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {4E52C32F-C143-4963-A758-2DB07703CB49} (YahooCS Class) - http://kr.memo.yahoo.com/CAB/YahooWCS.cab
O16 - DPF: {79419762-2D03-48F8-A63E-0544D95143DE} (AutoPatchOCX Control) - http://www.x2game.com/Control/AutoPatchOCX.cab
O16 - DPF: {F6E361B4-40F3-4C90-8A95-D95E0D8CBCD4} (MultiUpload Control) - http://www.clubbox.co.kr/neo.fld/MultiUpload.cab
O18 - Protocol: advert - {7DC356B2-7366-4F19-BF7A-4875F6AABEA0} - C:\WINDOWS\system32\nodeipproc.dll (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\dksynth.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote HID Service (LvHidSvc) - Philips - C:\WINDOWS\System32\lvhidsvc.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:22 PM

Posted 07 November 2006 - 09:13 AM

Hello,

I see you are running AdWatch.
I suggest you disable it because it can interfere with the fixes.

To disable AdWatch:

Open AdAware SE.
Go to AdWatch User Interface.
Go to Tools and Preferences.
At the bottom of the screen you will see 2 options Active and Automatic.
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
Uncheck both options. You can enable these after resolving your problem.

Extra note...

I note in your log that you have FlashGet the download manager -
Be aware that the trial copy bundles Cydoor adware, but when you register the Ads disappear. So in case you didn't purchase it, I recommend you remove it.
To remove the program: Go to Start > Settings > Control Panel > Add/Remove Programs and remove it.

Then,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R3 - URLSearchHook: (no name) - {EC709B81-586E-55B8-46E3-57C0DB5D5396} - (no file)
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\system32\ipv6mons.dll
O2 - BHO: (no name) - {983443E1-740B-4EC3-AE9F-7CEF08DBF408} - C:\Program Files\WindowsUpdate\hozemod.dll (file missing)
O2 - BHO: Iconizer - {AA1A4F83-B4AC-4859-8C91-21DBE6C5625B} - C:\WINDOWS\system32\nodeipproc.dll (file missing)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Games\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Games\PartyPoker.net\partypokernet.exe (file missing)
O18 - Protocol: advert - {7DC356B2-7366-4F19-BF7A-4875F6AABEA0} - C:\WINDOWS\system32\nodeipproc.dll (file missing)
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\dksynth.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

This infection creates the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load with extra values under it as well. This isn't a default key anyway, so better to remove it together with another value this malware has set.

* Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Delete next files if still present:

C:\windows\us2installer*** (*** stands for a random number)
C:\Windows\system32\ipv6mons.dll
C:\Windows\system32\ipv6monr.dll
C:\Windows\System32\my.pfx

Concerning smitfraud C being flagged all the time, perform next..
* Download DelDomains.inf and save it to your desktop.
Rightclick on it and choose 'install'.

Once done, * Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

After performing above steps, once the C:\WINDOWS\system32\ipv6mons.dll is deleted, change all your passwords; because above one is a passwordstealer.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 kanganova

kanganova
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 07 November 2006 - 12:48 PM

Kanga - 06-11-07 9:35:56.90 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Kanga\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\media_motor_bundle.exe
C:\WINDOWS\system32\icon_mediamotor.exe
C:\WINDOWS\system32\ts_mediamotor.exe
C:\WINDOWS\system32\wnsintsv.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe


((((((((((((((((((((((((((((((( Files Created from 2006-10-07 to 2006-11-07 ))))))))))))))))))))))))))))))))))


2006-11-04 19:08 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-03 21:59 737,280 --a------ C:\WINDOWS\iun6002.exe
2006-11-03 21:43 901,120 --a------ C:\WINDOWS\otsUNIN.exe
2006-10-31 10:37 1,245,184 -ra------ C:\WINDOWS\system32\clubbox.exe
2006-10-27 11:43 70,960 --a------ C:\WINDOWS\system32\LiveUp.exe
2006-10-27 11:43 567,088 --a----t- C:\WINDOWS\system32\SearchMe_Setup.exe
2006-10-26 06:04 1,568,768 -ra------ C:\WINDOWS\system32\pdbox28.exe
2006-10-24 06:53 122,880 -ra------ C:\WINDOWS\system32\downengine.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-07 09:36 -------- d-------- C:\Program Files\Common Files
2006-11-07 09:15 -------- d-------- C:\Program Files\FlashGet
2006-11-04 19:57 -------- d-------- C:\Program Files\Internet Explorer
2006-11-04 19:08 -------- d-------- C:\Program Files\Grisoft
2006-11-04 18:56 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-04 18:23 -------- d-------- C:\Program Files\Pruna
2006-11-04 11:18 5798 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2006-11-03 22:11 -------- d-------- C:\Program Files\Replay Converter
2006-11-03 22:10 34308 --a------ C:\WINDOWS\system32\BASSMOD.dll
2006-11-03 12:01 -------- d-------- C:\Documents and Settings\Kanga\Application Data\??mantec
2006-10-31 11:11 21 --a------ C:\WINDOWS\system32\drcheck.dll
2006-10-27 17:15 -------- d-------- C:\Program Files\BitTorrent
2006-10-27 17:15 -------- d-------- C:\Documents and Settings\Kanga\Application Data\BitTorrent
2006-10-27 17:09 -------- d-------- C:\Program Files\nbpro
2006-10-27 09:19 -------- d-------- C:\Program Files\DOSBox-0.63
2006-10-25 08:13 -------- d--h----- C:\Program Files\FX Uninstall Information
2006-10-16 21:36 -------- d-------- C:\Program Files\Google
2006-10-09 09:52 -------- d-------- C:\Program Files\PokerChamps
2006-08-28 08:21 327680 -ra------ C:\WINDOWS\system32\grdupdater.exe
2006-08-23 08:00 32485 --a------ C:\WINDOWS\system32\uninstIcn.exe
2006-08-11 08:18 61440 --a------ C:\WINDOWS\system32\nod.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"AWMON"="\"C:\\PROGRA~1\\Lavasoft\\AD-AWA~2\\Ad-Watch.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TM Outbreak Agent"="\"C:\\Program Files\\Trend Micro\\Internet Security\\TMOAgent.exe\" /run"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"PCClient.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security\\PCClient.exe\""
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security\\pccguide.exe\""
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ClubBox"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="http://www.the-leaky-cauldron.org/widgets/count-ootp_adi.html"
"SubscribedURL"="http://www.the-leaky-cauldron.org/widgets/count_ootp.cdf"
"FriendlyName"="LeakyNews counts down to Order of the Phoenix the Movie"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,10,03,00,00,15,01,00,00,31,01,00,00,b9,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,10,03,00,00,15,01,00,00,31,01,00,00,b9,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LCDPlayer.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\LCDPlayer.lnk"
"backup"="C:\\WINDOWS\\pss\\LCDPlayer.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\SPACEI~1\\CDSPAC~1\\LCDPlyer.exe "
"item"="LCDPlayer"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aiknbs]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="?рoolsv"
"hkey"="HKCU"
"command"="C:\\Program Files\\Common Files\\sеcurity\\?рoolsv.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="atiptaxx"
"hkey"="HKLM"
"command"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClubBox]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="atiptaxx"
"hkey"="HKLM"
"command"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndref_7"
"hkey"="HKLM"
"command"="C:\\\\dfndref_7.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DrVirus]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DrVirus"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Drvirus\\DrVirus.exe\" -sh"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EAj0CKHK]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wkynoum"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\wkynoum.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eMuleAutoStart]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Donkeyhote"
"hkey"="HKCU"
"command"="C:\\Program Files\\dongkey\\Donkeyhote.exe -AutoStart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IMJPMIG"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ipwins"
"hkey"="HKLM"
"command"="C:\\Program Files\\ipwins\\ipwins.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\irssyncd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="irssyncd"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\irssyncd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IST Service]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="istsvc"
"hkey"="HKLM"
"command"="C:\\Program Files\\ISTsvc\\istsvc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kybrdef_7"
"hkey"="HKLM"
"command"="C:\\\\kybrdef_7.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ImScInst"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwnmef_7"
"hkey"="HKLM"
"command"="C:\\\\nwnmef_7.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Olydp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jаvaw"
"hkey"="HKCU"
"command"="C:\\Program Files\\sуstem\\jаvaw.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pnrt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lsass"
"hkey"="HKCU"
"command"="\"C:\\DOCUME~1\\Kanga\\APPLIC~1\\УMANT~1\\lsass.exe\" -vt tzt"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pop06ap]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pop06ap2"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\pop06ap2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecSche]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RecSche"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\LifeView TVR\\RecSche.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rmctrl"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\rmctrl.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScanRegistry]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="W"
"hkey"="HKLM"
"command"="C:\\W"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StillImageMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="W"
"hkey"="HKLM"
"command"="C:\\W"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfAccuracy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SAcc"
"hkey"="HKLM"
"command"="C:\\Program Files\\SurfAccuracy\\SAcc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ssk"
"hkey"="HKLM"
"command"="C:\\Program Files\\SurfSideKick 3\\Ssk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleToolbarNotifier"
"hkey"="HKCU"
"command"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.711.1664\\GoogleToolbarNotifier.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vakduqc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="eхplorer"
"hkey"="HKCU"
"command"="C:\\Program Files\\Common Files\\Fоnts\\eхplorer.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="whAgent"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\webHancer\\Programs\\whAgent.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Survey Companion]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="whSurvey"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\webHancer\\Programs\\whSurvey.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinDVRCtrl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WDVRCtrl"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\WDVRCtrl.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\{D34F18B0-576E-11D0-B28C-00C04FD7CD22}_KANGA_Kanga.job

Completion time: 06-11-07 9:38:27.89
C:\ComboFix.txt ... 06-11-07 09:38


Logfile of HijackThis v1.99.1
Scan saved at 9:43:13 AM, on 11/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\lvhidsvc.exe
C:\Program Files\802.11 Wireless LAN\USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
C:\Program Files\DU Meter\DUMETER.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Documents and Settings\Kanga\Desktop\HijackThis199.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - Startup: DU Meter (2).lnk = C:\Program Files\DU Meter\DUMETER.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {4E52C32F-C143-4963-A758-2DB07703CB49} (YahooCS Class) - http://kr.memo.yahoo.com/CAB/YahooWCS.cab
O16 - DPF: {79419762-2D03-48F8-A63E-0544D95143DE} (AutoPatchOCX Control) - http://www.x2game.com/Control/AutoPatchOCX.cab
O16 - DPF: {F6E361B4-40F3-4C90-8A95-D95E0D8CBCD4} (MultiUpload Control) - http://www.clubbox.co.kr/neo.fld/MultiUpload.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote HID Service (LvHidSvc) - Philips - C:\WINDOWS\System32\lvhidsvc.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

#4 kanganova

kanganova
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 07 November 2006 - 12:58 PM

Thank you for quick response...

i followed every steps as you mentioned except
there were two files ipv6mon.dll and ipv6montr.dll
i didnt delete these because little different in names (no 's' and add 't')

i dont know it's fixed or not
ad-aware detected few changes in registry modification at start up
as when i had the virus. before the virus i rarely had any changes.


Ad-Watch Logfile, exported on 11/7/2006
Total number of events:10
===============================================
11/7/2006 9:39:37 AM - Definitions file SE1R130 02.11.2006 loaded successfully.
Build:SE1R130 02.11.2006
Total Signatures :69477
Target Families :1005
Target Categories :6
CSI data Size :294916

File Size :2672513

===============================================
11/7/2006 9:39:37 AM - User preferences file loaded.
Ad-Watch preference file loaded.
Applying user settings
C:\Documents and Settings\Kanga\Application Data\Lavasoft\Ad-Aware\awsettings.awc
Initialization complete.




===============================================
11/7/2006 9:39:37 AM - Sites file loaded.
Sites file loaded successfully.
C:\PROGRA~1\Lavasoft\AD-AWA~2\sites.txt
Total entries : 3223





===============================================
11/7/2006 9:39:57 AM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Internet Explorer\Toolbar\Webbrowser
Value:{CBCC61FA-0221-4CCC-B409-CEE865CACA3A}
Data:1
New Data:



===============================================
11/7/2006 9:39:57 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:KernelFaultCheck
Data:%systemroot%\system32\dumprep 0 -k
New Data:



===============================================
11/7/2006 9:40:56 AM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Internet Explorer\Search
Value:SearchAssistant
Data:http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
New Data:http://www.google.com/ie



===============================================
11/7/2006 9:40:56 AM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Internet Explorer\SearchUrl
Value:
Data:http://www.google.com/keyword/%s
New Data:http://www.google.com/search?q=%s



===============================================
11/7/2006 9:40:56 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Internet Explorer\Main
Value:Default_Search_URL
Data:http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
New Data:http://www.google.com/ie



===============================================
11/7/2006 9:40:56 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Internet Explorer\Search
Value:Default_Search_URL
Data:
New Data:http://www.google.com/ie



===============================================
11/7/2006 9:40:56 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Internet Explorer\Search
Value:SearchAssistant
Data:http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
New Data:http://www.google.com/ie



===============================================

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:22 PM

Posted 07 November 2006 - 01:28 PM

Hi,

i followed every steps as you mentioned except
there were two files ipv6mon.dll and ipv6montr.dll
i didnt delete these because little different in names (no 's' and add 't')


Yes, delete them as well if not deleted already.

ad-aware detected few changes in registry modification at start up
as when i had the virus. before the virus i rarely had any changes


That's why I asked you to disable adwatch, so it won't interfere with the fixes. It's normal, when you enable it again it will display alerts, because I asked you to fix entries in Hijackthis previously. And that's what Adwatch sees now, that they were modified/deleted. So here you have to allow the changes, otherwise Adwatch will replace the entries you fixed back again.

We made progress here. I see you were terribly infected previously as well, so we still have a lot to clean up.
I am going to let you run some extra tools to delete leftovers, because combofix doesn't display all, since the infections you were dealing with previously are already a couple of months old.

So do next:


* Download Brute Force Uninstaller.
Unzip it to a folder of itís own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script
( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Delete next folders and file:

C:\Program Files\FlashGet <== folder, since you uninstalled Flashget as I see in your log
C:\Documents and Settings\Kanga\Application Data\??mantec <== folder, will most probably look like Symantec
C:\WINDOWS\system32\uninstIcn.exe <== file

I see you have set active desktop as well, called "LeakyNews counts down to Order of the Phoenix the Movie"
If you don't know it, * Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Uncheck and delete the "LeakyNews counts down to Order of the Phoenix the Movie" there.
Hit ok below > apply in previous window.

You have also disabled a lot of bad startupkeys via msconfig. They should get deleted and not disabled, so to delete them, perform next:

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aiknbs]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EAj0CKHK]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\irssyncd]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IST Service]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Olydp]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pnrt]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pop06ap]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfAccuracy]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 3]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vakduqc]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Survey Companion]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

I see some files present I don't recognise.. They could be malware related. That's why I want you to submit/upload them to let them scan by several AV scanners..
Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\otsUNIN.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in notepad, because I need the results later.
Perform the same for next files:

C:\WINDOWS\system32\LiveUp.exe
C:\WINDOWS\system32\SearchMe_Setup.exe

As a final cleanup..
Download and install Superantispyware
  • Load Superantispyware and click the check for updates button.
  • Once the update is finished click the scan your computer button.
  • Check Perform Complete Scan and then next.
  • Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
  • Make sure that they all have a check next to them and press next.
  • Click finish and you will be taken back to the main interface.
  • It could be possible that it will ask you to reboot your computer in order to delete some files after reboot.
  • I'll need a log afterwards of what has been found.
  • To get the log, Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
  • Post the contents of the log in your next reply together with the results from the VirusTotalscan (the files you uploaded) and a new HijackThislog.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 kanganova

kanganova
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 07 November 2006 - 02:56 PM

I tried to delete the file ipv6mon.dll
it comes back to the folder even though deleted file is in trash can.

Here is some similar name...should i delete these?
ip6.exe
ipxmontr.dll
ipmontr.dll

i have complete most of task except last scaning ...
seems to doing nothing for 10 mins while scaning my backup harddrive.
scaning same section and no harddrive activity
finished the Drive C though.

i will try to update part scaning after reboot.

Thank you for your help.

Edited by kanganova, 07 November 2006 - 03:04 PM.


#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:22 PM

Posted 07 November 2006 - 03:00 PM

Wait a minute.. you are saying ipv6mon.dll ??
I misread that and didn't notice it without the s .. no, don't delete it..; that one is legit/ok.
Don't delete the ip6.exe, ipxmontr.dll, ipmontr.dll either, because they are legit/ok as well

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 kanganova

kanganova
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 07 November 2006 - 03:01 PM

STATUS: FINISHEDComplete scanning result of "otsUNIN.exe", received in VirusTotal at 11.07.2006, 19:55:13 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.37 11.07.2006 no virus found
Authentium 4.93.8 11.07.2006 no virus found
Avast 4.7.892.0 11.07.2006 no virus found
AVG 386 11.07.2006 no virus found
BitDefender 7.2 11.07.2006 no virus found
CAT-QuickHeal 8.00 11.07.2006 no virus found
ClamAV devel-20060426 11.07.2006 no virus found
DrWeb 4.33 11.07.2006 no virus found
eTrust-InoculateIT 23.73.48 11.07.2006 no virus found
eTrust-Vet 30.3.3181 11.07.2006 no virus found
Ewido 4.0 11.07.2006 no virus found
Fortinet 2.82.0.0 11.07.2006 no virus found
F-Prot 3.16f 11.07.2006 no virus found
F-Prot4 4.2.1.29 11.07.2006 no virus found
Ikarus 0.2.65.0 11.07.2006 no virus found
Kaspersky 4.0.2.24 11.07.2006 no virus found
McAfee 4890 11.07.2006 no virus found
Microsoft 1.1609 11.07.2006 no virus found
NOD32v2 1.1857 11.07.2006 no virus found
Norman 5.80.02 11.07.2006 no virus found
Panda 9.0.0.4 11.07.2006 Suspicious file
Sophos 4.11.0 11.07.2006 no virus found
TheHacker 6.0.1.113 11.06.2006 no virus found
UNA 1.83 11.06.2006 no virus found
VBA32 3.11.1 11.07.2006 no virus found
VirusBuster 4.3.15:9 11.07.2006 no virus found


Aditional Information
File size: 901120 bytes
MD5: 4343b062717b3b06d208d7300d233401



STATUS: FINISHEDComplete scanning result of "LiveUp.exe", received in VirusTotal at 11.07.2006, 20:00:06 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.37 11.07.2006 no virus found
Authentium 4.93.8 11.07.2006 no virus found
Avast 4.7.892.0 11.07.2006 no virus found
AVG 386 11.07.2006 no virus found
BitDefender 7.2 11.07.2006 no virus found
CAT-QuickHeal 8.00 11.07.2006 no virus found
ClamAV devel-20060426 11.07.2006 no virus found
DrWeb 4.33 11.07.2006 no virus found
eTrust-InoculateIT 23.73.48 11.07.2006 no virus found
eTrust-Vet 30.3.3181 11.07.2006 no virus found
Ewido 4.0 11.07.2006 no virus found
Fortinet 2.82.0.0 11.07.2006 suspicious
F-Prot 3.16f 11.07.2006 no virus found
F-Prot4 4.2.1.29 11.07.2006 no virus found
Ikarus 0.2.65.0 11.07.2006 no virus found
Kaspersky 4.0.2.24 11.07.2006 no virus found
McAfee 4890 11.07.2006 no virus found
Microsoft 1.1609 11.07.2006 no virus found
NOD32v2 1.1857 11.07.2006 no virus found
Norman 5.80.02 11.07.2006 no virus found
Panda 9.0.0.4 11.07.2006 Suspicious file
Sophos 4.11.0 11.07.2006 no virus found
TheHacker 6.0.1.113 11.06.2006 no virus found
UNA 1.83 11.06.2006 no virus found
VBA32 3.11.1 11.07.2006 no virus found
VirusBuster 4.3.15:9 11.07.2006 no virus found


Aditional Information
File size: 70960 bytes
MD5: 02eb824c0f478f350ad3cbabfa1e50a6
SHA1: 89a02b40cfd922ebcdcc2f194bd1c35323bdc578



STATUS: FINISHEDComplete scanning result of "SearchMe_Setup.exe", received in VirusTotal at 11.07.2006, 20:09:45 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.37 11.07.2006 no virus found
Authentium 4.93.8 11.07.2006 no virus found
Avast 4.7.892.0 11.07.2006 no virus found
AVG 386 11.07.2006 no virus found
BitDefender 7.2 11.07.2006 no virus found
CAT-QuickHeal 8.00 11.07.2006 no virus found
ClamAV devel-20060426 11.07.2006 no virus found
DrWeb 4.33 11.07.2006 no virus found
eTrust-InoculateIT 23.73.48 11.07.2006 no virus found
eTrust-Vet 30.3.3181 11.07.2006 no virus found
Ewido 4.0 11.07.2006 no virus found
Fortinet 2.82.0.0 11.07.2006 no virus found
F-Prot 3.16f 11.07.2006 no virus found
F-Prot4 4.2.1.29 11.07.2006 no virus found
Ikarus 0.2.65.0 11.07.2006 no virus found
Kaspersky 4.0.2.24 11.07.2006 no virus found
McAfee 4890 11.07.2006 no virus found
Microsoft 1.1609 11.07.2006 no virus found
NOD32v2 1.1857 11.07.2006 no virus found
Norman 5.80.02 11.07.2006 no virus found
Panda 9.0.0.4 11.07.2006 no virus found
Sophos 4.11.0 11.07.2006 no virus found
TheHacker 6.0.1.113 11.06.2006 no virus found
UNA 1.83 11.07.2006 no virus found
VBA32 3.11.1 11.07.2006 no virus found
VirusBuster 4.3.15:9 11.07.2006 no virus found


Aditional Information
File size: 567088 bytes
MD5: a694b3fc3a2f9cc57ac0433d3d11c0c0
SHA1: 3541650866ad3086392c199e1263d4d94272983a





SUPERAntiSpyware Scan Log
Generated 11/07/2006 at 11:52 AM

Application Version : 3.3.1020

Core Rules Database Version : 3122
Trace Rules Database Version: 1142

Scan type : Complete Scan
Total Scan Time : 00:37:58

Memory items scanned : 354
Memory threats detected : 0
Registry items scanned : 4589
Registry threats detected : 3
File items scanned : 32622
File threats detected : 157

Adware.Tracking Cookie
C:\Documents and Settings\Kanga\Cookies\kanga@entrepreneur.122.2o7[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@fcstats.bcentral[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@microsofteup.112.2o7[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@www.burstbeacon[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@tracker.myspacemaps[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@ad.pdbox.co[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@msnportal.112.2o7[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@mb[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@anad.tacoda[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@adcentriconline[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@cz5.clickzs[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@payasyouclick[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@image.masterstats[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@hot-sex-movies[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@atwola[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@ad.krutilka[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@cgi-bin[4].txt
C:\Documents and Settings\Kanga\Cookies\kanga@partygaming.122.2o7[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@cgi-bin[9].txt
C:\Documents and Settings\Kanga\Cookies\kanga@rotator.adjuggler[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@tsn.112.2o7[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@nbcuniversal.122.2o7[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@e-2dj6wfloolcjcao.stats.esomniture[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@ad-indicator[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@adrenaline[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@advertstream[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@partner2profit[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@roiservice[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@kanoodle[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@ad1.targetgraph[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@ads.cnn[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@e-2dj6wjlyeicpieq.stats.esomniture[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@st[3].txt
C:\Documents and Settings\Kanga\Cookies\kanga@cz6.clickzs[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@click.netpondcash[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@st[4].txt
C:\Documents and Settings\Kanga\Cookies\kanga@ad[4].txt
C:\Documents and Settings\Kanga\Cookies\kanga@www.dailyindiansex[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@cgi-bin[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@www.indiansexpost[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@hit.stat[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@dist.belnk[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@cnn.122.2o7[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@cgi-bin[7].txt
C:\Documents and Settings\Kanga\Cookies\kanga@cz3.clickzs[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@www.burstnet[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@belnk[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@revsci[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@1070791529[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@adv.webmd[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@cz4.clickzs[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@banners.nbcupromotes[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@usatoday1.112.2o7[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@mb[4].txt
C:\Documents and Settings\Kanga\Cookies\kanga@tacoda[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@adknowledge[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@wizcounter[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@ad1.dmcmedia.co[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@ads.monster[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@adbrite[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@32849030[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@interclick[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@ads.belointeractive[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@ad-cross.co[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@dsml.clickexperts[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@adlegend[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@burstnet[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@ad.hankooki[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@yadro[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@webstats4u[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@bizrate[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@a.websponsors[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@www.jackpotmadness[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@ad1.clickhype[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@azjmp[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@toplist[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@partypoker[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@stats[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@ads2.drivelinemedia[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@www.drivecleaner[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@ursexy.co[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@komtrack[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@ad2.adecn[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@ads.thestar[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@vip.clickzs[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@www.sexydesktop.co[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@leeenterprises.112.2o7[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@adv.surinter[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@www.belstat[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@stats1.reliablestats[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@ads.realtechnetwork[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@www.pridestats[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@ads.clubplanet[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@stats.ultimate-webservices[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@www.hotindiansex[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@adecn[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@handbag[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@cgi-bin[5].txt
C:\Documents and Settings\Kanga\Cookies\kanga@handbag[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@mediadis[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@maxim.122.2o7[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@campaign.indieclick[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@clicksor[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@ats[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@cgi-bin[8].txt
C:\Documents and Settings\Kanga\Cookies\kanga@chumtv.122.2o7[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@ning.122.2o7[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@data3.perf.overture[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@xiti[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@ads.centraliprom[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@track.websitetrafficreport[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@go.drivecleaner[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@ad.pandora[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@mb[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@s[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@toplist[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@4stats[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@mssexysexy.zoomshare[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@stats.bigdrum[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@entrepreneur[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@1071918290[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@cgi-bin[3].txt
C:\Documents and Settings\Kanga\Cookies\kanga@volkswagen.122.2o7[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@i.screensavers[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@adopt.specificclick[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@ad.zanox[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@cbs.112.2o7[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@entertainment[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@harpo.122.2o7[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@ads.tbs[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@h.starware[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@enhance[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@bannerspace[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@1065026635[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@ad.movist[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@adultfriendfinder[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@www.screensavers[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@searchadnetwork[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@ads.gamershell[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@warlog[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@1069674958[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@ex=1_[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@geo.precisionclick[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@nads1.nasads[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@indexstats[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@stats.drivecleaner[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@ad.dinno[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@webstat[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@www.searchadnetwork[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@cz8.clickzs[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@try.starware[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@drivecleaner[1].txt
C:\Documents and Settings\Kanga\Cookies\kanga@ads.jt[2].txt
C:\Documents and Settings\Kanga\Cookies\kanga@screensavers[2].txt

Adware.MediaMotor
C:\WINDOWS\mm06y.ini

Adware.ClickSpring/Yazzle
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1122Oin
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1122Oin#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1122Oin#UninstallString

Trojan.Downloader-AgentDQ
C:\DOCUMENTS AND SETTINGS\KANGA\DESKTOP\BACKUPS\BACKUP-20061107-093207-272.DLL

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:22 PM

Posted 07 November 2006 - 03:05 PM

Hi,

Look at my previous post concerning ipv6mon.dll
As I said, that one is legit/ok. And it is normal that it comes back all the time when you delete that one.

The files you uploaded look ok/clean as well, however, do you know that program/installer SearchMe_Setup.exe ??
LiveUp.exe should be related though.. since it's installed the same time.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 kanganova

kanganova
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 07 November 2006 - 03:08 PM

ok i didnt delete them...
however i was going thru my folders and....
whole folder is missing
it was C:\temp with subsfolders...

i do remember using until yesterday....

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:22 PM

Posted 07 November 2006 - 03:15 PM

You mean, this folder is missing?
C:\Temp?

Don't really worry about that - it's not a default temp-folder anyway and some tools do remove that folder.

Did you install programs or downloaded files into that temp folder?
If I may give you a good advice, never download and save files to a tempfolder, because they will get deleted anyway.
If you want a seperate folder to download files into, create a folder yourself and name it downloads or something similar.

Can you also answer my question about the SearchMe_Setup.exe as I asked in my previous post??
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 kanganova

kanganova
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 07 November 2006 - 03:16 PM

i do remember a program i used was updating and installed a toolbar in explorer.
so i deleted the program....almost same date and its only korean toolbar that ive known.
i guess i can delete those two files....

#13 kanganova

kanganova
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 07 November 2006 - 03:18 PM

ah.... i had alots files backup there.
whats good undelete program?
and what are you using for real-time protection for malware?

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:22 PM

Posted 07 November 2006 - 03:31 PM

i do remember a program i used was updating and installed a toolbar in explorer.
so i deleted the program....almost same date and its only korean toolbar that ive known.
i guess i can delete those two files....


Yes, they are most probably related. They word SearchMe_Setup.exe sounds dubious as well and smells like spyware. So yes, delete the SearchMe_setup.exe and LiveUp.exe.

I am afraid you won't be able to retreive the files back you saved in that temp folder though... That's why I said previously, never backup files in temp-directories.
I am not familiar with undelete programs, since I never used them, so I can't tell you which ones are good or not.
But if you perform a googlesearch for "Undelete", you'll find a lot of file Recovery programs there.
Just make sure you don't recover any of the malware related files you deleted previously.

and what are you using for real-time protection for malware?


I am using Kaspersky Internet Security. This is not freeware, but a very powerful security suite imho.
Are you planning to install another Antivirus and firewall? In case you do, make sure you uninstall the current one you are having first, because having more than one Antivirus and firewall installed can cause a lot of problems since they are not compatible.
There are also a lot freeware Antivirus and Firewalls which are great!
Just look in my signature for the ones I recommend.

Anyway, how are things running now?
edit.. I also hope you didn't forget my note about changing your passwords.. because that is important.

Edited by miekiemoes, 07 November 2006 - 03:32 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 kanganova

kanganova
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 07 November 2006 - 03:39 PM

havent changed it yet....
however i was rescaning with ad-aware
and detected same win32.trojan.downloader
still rescaning with SuperAntiSpyware
and detected adware.toolbar888

it will be least 1 hour to do whole 3 harddrives




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users