Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

P2esocks_1021.dll Missing On Startup + Notepad Directing To Casinopalazzo


  • This topic is locked This topic is locked
29 replies to this topic

#1 DeLuk

DeLuk

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:07:23 PM

Posted 12 November 2006 - 07:43 AM

Greetings. :thumbsup:

I'm in need of your help one more time again. (This time not for myself, though, but for a friend, with an infected computer. I'm posting from another computer, my own, as I can not go online from my friend's computer as I have no connection for it here.)

As I say in the subject, the two main symptoms that I'm most wanting to fix primarily are:

This error message which pops up at startup now (after performing an Ad-Aware scan and cleaning) saying "Error loading p2esocks_1021.dll. The system could not find the specific file.".

Notepad (everytime a notepad associated file is opened; even while saving the HJT log it happened) directing to a website, casinopalazzo.com.


This is a company computer, which my friend has to take back tomorrow, for the working week, and (while by any means not at all wishing to make my help request appear any more urgent than anyone else's) I'd most greatly appreciate if you could please provide some guidance help as soon as possible, at least to see if I can at least manage to fix these two problems. (I suppose there may be further problems/infections needing to be taken care of, as this was an unprotected/neglected computer regarding malware, and also most probably it's missing Windows updates etc, haven't checked that yet, but, for the time being, I'd be most grateful if you could please help to at least just solve these two particular problems.)


Here's how the situation went:

We intended to install a new antivirus (Avast) as the one previously installed (Mcafee) had already ended its license since long.

I noticed that the system was rather unstable (it hang and had to be reset a few times, for instance after unistalling Mcafee, or after installing CCleaner, which I ended up uninstalling again, etc) and also that there were some few suspiciously-looking folders, so I wanted to do some cleanup prior to install Avast, so that it might be installed in a clean (or at least as clean as possible!) environment.

So I installed and updated Ad-Aware and made a scan with it, in safe mode, and cleaned everything it found. Here's the Ad-Aware log file after this first cleanup (I deleted from the log both the MRU's and the tracking cookies found, for keeping it shorter):

Edited by DeLuk, 12 November 2006 - 11:14 AM.


BC AdBot (Login to Remove)

 


#2 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:07:23 PM

Posted 12 November 2006 - 07:44 AM

Ad-Aware SE Build 1.06r1
Logfile Created on:sábado, 11 de Novembro de 2006 12:09:55
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R131 09-11-2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Alexa(TAC index:5):8 total references
CometSystems(TAC index:8):20 total references
Dialer(TAC index:5):6 total references
Dialer.UDconnect(TAC index:5):3 total references
DialPass(TAC index:5):9 total references
GAIN(TAC index:7):15 total references
Holystic-Dialer(TAC index:5):19 total references
istbar.dotcomToolbar(TAC index:5):1 total references
istbar(TAC index:7):6 total references
MagicControl(TAC index:7):4 total references
MRU List(TAC index:0):19 total references
Softomate Toolbar(TAC index:9):1 total references
Tracking Cookie(TAC index:3):102 total references
WhenU(TAC index:3):10 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


11-11-2006 12:09:55 - Scan started. (Full System Scan)


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [KERNEL32.DLL]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4291795423
Threads : 4
Priority : High
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Sistema operativo Microsoft® Windows™
CompanyName : Microsoft Corporation
FileDescription : Componente central do Kernel de Win32
InternalName : KERNEL32
LegalCopyright : Copyright © Microsoft Corp. 1991-1999
OriginalFilename : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294954299
Threads : 1
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Sistema operativo Microsoft® Windows™
CompanyName : Microsoft Corporation
FileDescription : Servidor de mensagens VxD de 32 bits do Windows
InternalName : MSGSRV32
LegalCopyright : Copyright © Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE

#:3 [MPREXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294957739
Threads : 2
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright © Microsoft Corp. 1993-1998
OriginalFilename : MPREXE.EXE

#:4 [EXPLORER.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294967271
Threads : 5
Priority : Normal
FileVersion : 4.72.3110.1
ProductVersion : 4.72.3110.1
ProductName : Sistema operativo Microsoft® Windows NT®
CompanyName : Microsoft Corporation
FileDescription : Explorador do Windows
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1997
OriginalFilename : EXPLORER.EXE

#:5 [RPCSS.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294857515
Threads : 4
Priority : Normal
FileVersion : 4.71.2900
ProductVersion : 4.71.2900
ProductName : Microsoft® Windows NT™ Operating System
CompanyName : Microsoft Corporation
FileDescription : Distributed COM Services
InternalName : rpcss.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1998
OriginalFilename : rpcss.exe

#:6 [AD-AWARE.EXE]
FilePath : C:\PROGRAMAS\LAVASOFT\AD-AWARE SE PERSONAL\
ProcessID : 4294776271
Threads : 2
Priority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{90c61707-c8f8-43db-a25c-c1f4b18ee41e}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{edc4193f-34ad-4d07-aa87-e3fdb89e3e76}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{1e587528-41aa-4f19-97e8-bb75acc3035c}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{2fcfb3fd-7184-4c42-aed3-30fff0119964}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{34fdd882-5530-4a90-89cd-416612c8855e}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{58c59f56-ca66-4b5d-9132-ecea5193be5a}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{788e0d0e-caf7-473b-9183-76be6d30dc9a}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{7aa7d1c3-f0f8-460c-936d-b5886d0928eb}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{832786ec-9632-4919-8972-59f79d621c87}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{97284959-a553-4576-859c-b3b3ff283de0}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{a0ca55a1-a112-11d3-80d6-00500487b1c5}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{a4b977f5-1efc-4da0-b9c2-67c53cba140f}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{a9e67cbe-7a42-47be-962a-c07e73c34fba}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{aeb17fc4-2a52-4945-9866-81cc343a59e3}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{b0e9399e-fe6f-43b0-98d3-2f47080dde4a}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{bfcbf73b-6eb2-49c1-adca-cf0cd589b140}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c4d86dc8-b73b-4470-9914-3dac14ee6f95}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{dc86768f-5adf-4d84-9de8-fd047b1fe8f5}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{ddd1e8ca-678d-4c9a-a472-ce9578b14dc5}

Dialer Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Dialer
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{469c7080-8ec8-43a6-ad97-45848113743c}

Dialer Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Dialer
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{093f9cf8-0de1-491c-95d5-5ec257bd4ca3}

Dialer.UDconnect Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Dialer
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{dc3185ae-864f-4e62-9321-0e9fa1cbe6a4}

Dialer.UDconnect Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Dialer
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : udconn.udconnect

Dialer.UDconnect Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Dialer
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : udconn.udconnect.1

DialPass Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{cefb7b49-9652-464f-8afd-a577c0500f39}

DialPass Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{3947ac1d-db09-4353-bbcc-55b97f5035ef}

DialPass Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{a58f3d09-4543-4396-8be7-105f14dd6ed5}

DialPass Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : p2ecom.egp2ecom

DialPass Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : p2ecom.egp2ecom.1

DialPass Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{0e594d22-ace6-43a2-bcda-bb7c65d3fe8c}

DialPass Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{e8c88115-4951-425b-8c45-4dfc5a5540ee}

GAIN Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{c7b05b61-c8d7-438c-840b-4994daaa8eee}

GAIN Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : pdpplugin.pdppi

GAIN Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c7b05b60-c8d7-438c-840b-4994daaa8eee}

GAIN Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{c7b05b62-c8d7-438c-840b-4994daaa8eee}

GAIN Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{c7b05b62-c8d7-438c-840b-4994daaa8eee}
Value : RegTimestamp

Holystic-Dialer Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{03c543a1-c090-418f-a1d0-fb96380d601d}

Holystic-Dialer Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : hol_preload.full.1

istbar.dotcomToolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{9388907f-82f5-434d-a941-bb802c6dd7c1}

istbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{308a04d3-084d-43aa-a3e6-0d12bcca3ce6}

istbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{12398dd6-40aa-4c40-a4ec-a42cfc0de797}

MagicControl Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : plugin_mc.mcplugin

MagicControl Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : plugin_mc.mcplugin.1

Holystic-Dialer Object Recognized!
Type : Regkey
Data : hol2
TAC Rating : 5
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : .DEFAULT\software\local appwizard-generated applications\HOL26076414

Holystic-Dialer Object Recognized!
Type : Regkey
Data : hol2
TAC Rating : 5
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : .DEFAULT\software\local appwizard-generated applications\HOL26332574

Holystic-Dialer Object Recognized!
Type : Regkey
Data : hol2
TAC Rating : 5
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : .DEFAULT\software\local appwizard-generated applications\HOL27249009

Holystic-Dialer Object Recognized!
Type : Regkey
Data : hol2
TAC Rating : 5
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : .DEFAULT\software\local appwizard-generated applications\HOL29662700

Holystic-Dialer Object Recognized!
Type : Regkey
Data : hol2
TAC Rating : 5
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : .DEFAULT\software\local appwizard-generated applications\HOL29703125

Holystic-Dialer Object Recognized!
Type : Regkey
Data : hol2
TAC Rating : 5
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : Software\software\local appwizard-generated applications\HOL26076414

Holystic-Dialer Object Recognized!
Type : Regkey
Data : hol2
TAC Rating : 5
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : Software\software\local appwizard-generated applications\HOL26332574

Holystic-Dialer Object Recognized!
Type : Regkey
Data : hol2
TAC Rating : 5
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : Software\software\local appwizard-generated applications\HOL27249009

Holystic-Dialer Object Recognized!
Type : Regkey
Data : hol2
TAC Rating : 5
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : Software\software\local appwizard-generated applications\HOL29662700

Holystic-Dialer Object Recognized!
Type : Regkey
Data : hol2
TAC Rating : 5
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : Software\software\local appwizard-generated applications\HOL29703125

Alexa Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : MenuStatusBar

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Script

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : clsid

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Icon

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : HotIcon

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : ButtonText

Holystic-Dialer Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\code store database\distribution units\{03c543a1-c090-418f-a1d0-fb96380d601d}

Holystic-Dialer Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\code store database\distribution units\{03c543a1-c090-418f-a1d0-fb96380d601d}
Value : Installer

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

CometSystems Object Recognized!
Type : RegValue
Data :
TAC Rating : 8
Category : Data Miner
Comment : "{FE6BC4EF-5676-484B-88AE-883323913256}"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\toolbar
Value : {FE6BC4EF-5676-484B-88AE-883323913256}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 64
Objects found so far: 83


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

WhenU Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/Downloaded Program Files/WUInst.dll

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/Downloaded Program Files/WUInst.dll
Value : {E2F2B9D0-96B9-4B25-B90C-636ECB207D18}

WhenU Object Recognized!
Type : File
Data : /windows/downloaded program files/wuinst.dll
TAC Rating : 3
Category : Misc
Comment :
Object : c:\



WhenU Object Recognized!
Type : RegValue
Data : C:\WINDOWS\Downloaded Program Files\WUInst.dll
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\SharedDLLs
Value : C:\WINDOWS\Downloaded Program Files\WUInst.dll

istbar Object Recognized!
Type : RegValue
Data : C:\WINDOWS\Downloaded Program Files\CONFLICT.2\ISTactivex.dll
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\SharedDLLs
Value : C:\WINDOWS\Downloaded Program Files\CONFLICT.2\ISTactivex.dll

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 88


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 51
Objects found so far: 139



Deep scanning and examining files (c:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Softomate Toolbar Object Recognized!
Type : File
Data : SearchBar.exe
TAC Rating : 9
Category : Data Miner
Comment :
Object : c:\WINDOWS\SYSTEM\SearchBar\
FileVersion : 1.00
ProductVersion : 1.00
ProductName : searchbar
InternalName : searchbar
OriginalFilename : searchbar.exe


DialPass Object Recognized!
Type : File
Data : eglivecam_1027.dll
TAC Rating : 5
Category : Malware
Comment :
Object : c:\WINDOWS\SYSTEM\



Dialer Object Recognized!
Type : File
Data : eglivecam_1028.dll
TAC Rating : 5
Category : Dialer
Comment :
Object : c:\WINDOWS\SYSTEM\


istbar Object Recognized!
Type : File
Data : ISTactivex.dll
TAC Rating : 7
Category : Malware
Comment :
Object : c:\WINDOWS\Downloaded Program Files\CONFLICT.2\
FileVersion : 1, 0, 0, 2
ProductVersion : 1, 0, 0, 2
ProductName : I5Tactivex Module
FileDescription : 15Tactivex Module
InternalName : 15Tactive_x
LegalCopyright : Copyright 2003
OriginalFilename : I5Tact1vex.DLL


WhenU Object Recognized!
Type : File
Data : WUInst.dll
TAC Rating : 3
Category : Misc
Comment :
Object : c:\WINDOWS\Downloaded Program Files\
FileVersion : 1, 0, 3, 1
ProductVersion : 1, 0, 3, 1
ProductName : WUInst Module
FileDescription : WUInst Module
InternalName : WUInst
LegalCopyright : Copyright 2003
OriginalFilename : WUInst.DLL


GAIN Object Recognized!
Type : File
Data : DashBar17.dll
TAC Rating : 7
Category : Data Miner
Comment :
Object : c:\Programas\DashBar\
FileVersion : 1, 7, 0, 0
ProductVersion : 1, 7, 0, 0
ProductName : DashBar Toolbar Module
CompanyName : GAIN Publishing
FileDescription : DashBar Toolbar Module
InternalName : DashBar
LegalCopyright : Copyright © 1999-2004 GAIN Publishing
OriginalFilename : DashBar17.dll
Comments : An internet search toolbar


Disk Scan Result for c:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 196


Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Dialer Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Dialer
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\internet settings\zonemap\domains\archiviosex.net

Dialer Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Dialer
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\internet settings\zonemap\domains\sgrunt.biz

Dialer Object Recognized!
Type : Folder
TAC Rating : 5
Category : Dialer
Comment : Dialer
Object : C:\Programas\CHAT

DialPass Object Recognized!
Type : File
Data : p2esocks_1021.dll
TAC Rating : 5
Category : Malware
Comment :
Object : C:\WINDOWS\SYSTEM\
FileVersion : 1, 0, 2, 1
ProductVersion : 1, 0, 2, 1
ProductName : EGAUTH Module
FileDescription : AUTH Module
InternalName : EGAUTH
LegalCopyright : Copyright 2003
OriginalFilename : EGAUTH.DLL


GAIN Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : .default\software\microsoft\systemcertificates\trustedpublisher\ctls

GAIN Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : .default\software\microsoft\systemcertificates\trustedpublisher\crls

GAIN Object Recognized!
Type : Folder
TAC Rating : 7
Category : Data Miner
Comment : GAIN
Object : C:\Programas\DashBar

GAIN Object Recognized!
Type : File
Data : GatorPdpPlugin.log
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\WINDOWS\



GAIN Object Recognized!
Type : File
Data : GatorPatch.log
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\WINDOWS\



GAIN Object Recognized!
Type : File
Data : GatorHDPlugin.log-old.log
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\WINDOWS\



GAIN Object Recognized!
Type : File
Data : DBUninstaller.exe.manifest
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\Programas\dashbar\



GAIN Object Recognized!
Type : File
Data : DBUninstaller.exe
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\Programas\dashbar\



GAIN Object Recognized!
Type : File
Data : DbAu.exe
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\Programas\dashbar\



Holystic-Dialer Object Recognized!
Type : Folder
TAC Rating : 5
Category : Malware
Comment : Holystic-Dialer
Object : C:\WINDOWS\Icons

Holystic-Dialer Object Recognized!
Type : File
Data : Hol328.ico
TAC Rating : 5
Category : Malware
Comment :
Object : C:\WINDOWS\icons\



Holystic-Dialer Object Recognized!
Type : File
Data : HolMkt328.ico
TAC Rating : 5
Category : Malware
Comment :
Object : C:\WINDOWS\icons\



Holystic-Dialer Object Recognized!
Type : File
Data : Hol346.ico
TAC Rating : 5
Category : Malware
Comment :
Object : C:\WINDOWS\icons\



Holystic-Dialer Object Recognized!
Type : File
Data : HolMkt346.ico
TAC Rating : 5
Category : Malware
Comment :
Object : C:\WINDOWS\icons\



istbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{d128e6c8-6ae7-4ecd-939e-e2e6ca7d035d}

istbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\downloadmanager

MagicControl Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\mc

MagicControl Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : .default\software\mc

WhenU Object Recognized!
Type : Folder
TAC Rating : 3
Category : Misc
Comment : WhenU
Object : C:\Programas\VVSN

WhenU Object Recognized!
Type : Folder
TAC Rating : 3
Category : Misc
Comment : WhenU
Object : C:\Programas\Save

WhenU Object Recognized!
Type : Folder
TAC Rating : 3
Category : Misc
Comment : WhenU
Object : C:\Programas\ClockSync

WhenU Object Recognized!
Type : File
Data : WUInst.inf
TAC Rating : 3
Category : Misc
Comment :
Object : C:\WINDOWS\downloaded program files\



WhenU Object Recognized!
Type : File
Data : ReadMe.txt
TAC Rating : 3
Category : Misc
Comment :
Object : C:\Programas\save\



Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 27
Objects found so far: 223

12:16:44 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:06:48.640
Objects scanned:70110
Objects identified:204
Objects ignored:0
New critical objects:204

#3 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:07:23 PM

Posted 12 November 2006 - 07:46 AM

After this cleanup with Ad-Aware, after rebooting to normal mode, the above mentioned error message appeared: "Error loading p2esocks_1021.dll. The system could not find the specific file.". And so I restored the quarentined data, and reboot again, yet the message still appeared. And so we brought the computer home for further cleaning (and this is why, at this point, I don't have the possibility to go online with the infected computer, should it be required any additional online scanning, like Panda Activescan or jotti etc, at this point I can't do those).

I ran a new scan with Ad-Aware, again in safe mode, and re-cleaned everything it found. Here's the new log (I had this time previously cleaned the I.E. temp folders / again I deleted from the log both the MRU's and tracking cookies):

----------

Ad-Aware SE Build 1.06r1
Logfile Created on:sábado, 11 de Novembro de 2006 22:51:11
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R131 09-11-2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
CometSystems(TAC index:8):19 total references
Dialer(TAC index:5):3 total references
Dialer.UDconnect(TAC index:5):3 total references
DialPass(TAC index:5):7 total references
GAIN(TAC index:7):5 total references
MRU List(TAC index:0):18 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


11-11-2006 22:51:11 - Scan started. (Full System Scan)


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [KERNEL32.DLL]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4291795793
Threads : 4
Priority : High
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Sistema operativo Microsoft® Windows™
CompanyName : Microsoft Corporation
FileDescription : Componente central do Kernel de Win32
InternalName : KERNEL32
LegalCopyright : Copyright © Microsoft Corp. 1991-1999
OriginalFilename : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294954933
Threads : 1
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Sistema operativo Microsoft® Windows™
CompanyName : Microsoft Corporation
FileDescription : Servidor de mensagens VxD de 32 bits do Windows
InternalName : MSGSRV32
LegalCopyright : Copyright © Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE

#:3 [MPREXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294957093
Threads : 2
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright © Microsoft Corp. 1993-1998
OriginalFilename : MPREXE.EXE

#:4 [EXPLORER.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294966633
Threads : 4
Priority : Normal
FileVersion : 4.72.3110.1
ProductVersion : 4.72.3110.1
ProductName : Sistema operativo Microsoft® Windows NT®
CompanyName : Microsoft Corporation
FileDescription : Explorador do Windows
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1997
OriginalFilename : EXPLORER.EXE

#:5 [RPCSS.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294857125
Threads : 4
Priority : Normal
FileVersion : 4.71.2900
ProductVersion : 4.71.2900
ProductName : Microsoft® Windows NT™ Operating System
CompanyName : Microsoft Corporation
FileDescription : Distributed COM Services
InternalName : rpcss.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1998
OriginalFilename : rpcss.exe

#:6 [AD-AWARE.EXE]
FilePath : C:\PROGRAMAS\LAVASOFT\AD-AWARE SE PERSONAL\
ProcessID : 4294803093
Threads : 2
Priority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 18


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{90c61707-c8f8-43db-a25c-c1f4b18ee41e}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{edc4193f-34ad-4d07-aa87-e3fdb89e3e76}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{1e587528-41aa-4f19-97e8-bb75acc3035c}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{2fcfb3fd-7184-4c42-aed3-30fff0119964}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{34fdd882-5530-4a90-89cd-416612c8855e}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{58c59f56-ca66-4b5d-9132-ecea5193be5a}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{788e0d0e-caf7-473b-9183-76be6d30dc9a}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{7aa7d1c3-f0f8-460c-936d-b5886d0928eb}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{832786ec-9632-4919-8972-59f79d621c87}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{97284959-a553-4576-859c-b3b3ff283de0}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{a0ca55a1-a112-11d3-80d6-00500487b1c5}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{a4b977f5-1efc-4da0-b9c2-67c53cba140f}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{a9e67cbe-7a42-47be-962a-c07e73c34fba}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{aeb17fc4-2a52-4945-9866-81cc343a59e3}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{b0e9399e-fe6f-43b0-98d3-2f47080dde4a}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{bfcbf73b-6eb2-49c1-adca-cf0cd589b140}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c4d86dc8-b73b-4470-9914-3dac14ee6f95}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{dc86768f-5adf-4d84-9de8-fd047b1fe8f5}

CometSystems Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{ddd1e8ca-678d-4c9a-a472-ce9578b14dc5}

Dialer Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Dialer
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{469c7080-8ec8-43a6-ad97-45848113743c}

Dialer Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Dialer
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{093f9cf8-0de1-491c-95d5-5ec257bd4ca3}

Dialer.UDconnect Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Dialer
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{dc3185ae-864f-4e62-9321-0e9fa1cbe6a4}

Dialer.UDconnect Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Dialer
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : udconn.udconnect

Dialer.UDconnect Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Dialer
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : udconn.udconnect.1

DialPass Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{cefb7b49-9652-464f-8afd-a577c0500f39}

DialPass Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{3947ac1d-db09-4353-bbcc-55b97f5035ef}

DialPass Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{a58f3d09-4543-4396-8be7-105f14dd6ed5}

DialPass Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : p2ecom.egp2ecom

DialPass Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : p2ecom.egp2ecom.1

DialPass Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{0e594d22-ace6-43a2-bcda-bb7c65d3fe8c}

DialPass Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{e8c88115-4951-425b-8c45-4dfc5a5540ee}

GAIN Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{c7b05b61-c8d7-438c-840b-4994daaa8eee}

GAIN Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : pdpplugin.pdppi

GAIN Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c7b05b60-c8d7-438c-840b-4994daaa8eee}

GAIN Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{c7b05b62-c8d7-438c-840b-4994daaa8eee}

GAIN Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{c7b05b62-c8d7-438c-840b-4994daaa8eee}
Value : RegTimestamp

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 36
Objects found so far: 54


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 54


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 55



Deep scanning and examining files (c:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for c:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 56


Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Dialer Object Recognized!
Type : Folder
TAC Rating : 5
Category : Dialer
Comment : Dialer
Object : C:\Programas\CHAT

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 57

22:58:02 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:06:50.840
Objects scanned:69528
Objects identified:39
Objects ignored:0
New critical objects:39

#4 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:07:23 PM

Posted 12 November 2006 - 07:47 AM

After this second cleanup with Ad-Aware, and after rebooting to normal mode, I installed HJT and ran a scan with it. And so here's the log, which I'd very much appreciate that you could please have a look at, and please, if possible in such a short time, help me at least to fix that error message at startup and that annoyance of notepad redirecting to casinopalazzo.com.


----------


Logfile of HijackThis v1.99.1
Scan saved at 10:51:51, on 12-11-2006
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LXCGPPLS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMAS\ALCATEL\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAMAS\LEXMARK 2300 SERIES\LXCGMON.EXE
C:\PROGRAMAS\LEXMARK 2300 SERIES\EZPRINT.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\PROGRAMAS\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMAS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = CLIX
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched,lxcgppls.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAMAS\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMAS\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAMAS\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O4 - HKLM\..\Run: [VerificarRegisto] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [MonitorTarefas] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Tabuleiro do sistema] SysTray.Exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programas\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [MaxProtector] C:\Programas\MaxProtector\MaxProtector.exe ontray
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\SYSTEM\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Programas\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Programas\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Programas\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1021.dll,InstantAccess
O4 - Startup: WinZip Quick Pick.lnk = C:\Programas\WinZip\WZQKPICK.EXE
O4 - Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O4 - User Startup: WinZip Quick Pick.lnk = C:\Programas\WinZip\WZQKPICK.EXE
O4 - User Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN.cab
O16 - DPF: {16A7470E-229C-45F9-AE05-A87034FD14CF} (UDConnect Class) - http://03.sharedsource.org/html/UDConn_5.2.1.3.cab?
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN.cab
O16 - DPF: {D62B5127-8D03-4175-BA71-E0041595DA4B} (UDConnect Class) - http://03.sharedsource.org/html/TriacomUD_1.0.0.3ie.cab?
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://geo.sapo.pt/imp_cgi/mgaxctrl.cab


----------


Thank you already, so much, for your kind patience and any possible help! :thumbsup:

#5 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:07:23 PM

Posted 12 November 2006 - 02:12 PM

If I at least fix this following entry on HJT:

O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1021.dll,InstantAccess

And delete this following file (should it eventually be there; having hidden and system files showing, still I don't find this file in the computer, but anyway):

C:\Windows\System32\p2esocks_1021.dll

Will I by this at least be able to get the computer rid of the startup error message? (Any further problem/infection may be fixed at a latter opportunity, it's not demanding that it is at this time, but at least that startup error message, I would really wish to manage to get rid of it before my friend has to take the computer back to office; so if you can please help, even only confirming if, by doing as said above, the startup error message will be gone, I'd be sincerely appreciated, thank you so much again.)

#6 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:07:23 PM

Posted 17 November 2006 - 05:22 AM

Today my friend will bring the computer back home for the weekend; if anyone could please provide some guidance help as to how to properly fix it, I'd greatly appreciate it, to see if I have the chance to complete the fix over this new weekend. Thank you so much one more time again.

Edited by DeLuk, 17 November 2006 - 09:37 AM.


#7 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:07:23 PM

Posted 17 November 2006 - 09:14 PM

After my friend brought back the computer tonight, I ran HJT again for an updated log (prior to which I emptied both the IE cache and the Windows Temp folder and ran both Ad-Aware and SpyBot, again in safe mode, both of which found nothing this time around) yet as I could cross-check, the only difference to the previous log is that, now, both the following entries are no longer present:

-----

O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN.cab

O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN.cab

-----

Other than that, both symptoms from before are still there: the rundll error message at startup still appears and notepad still tries to connect to casinopalazzo.com when opened, after which it creates the characteristic shortcut icon in the desktop named "pleasure zone" with a yellow cross over a purple square (and which is also the icon of notepad.exe).


One time again, thank you greatly if you can please give some assistance to solving this problem.

#8 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:07:23 PM

Posted 19 November 2006 - 01:27 PM

Here's a new update on what more I did while standing-by for further expert help:

I have now also directly removed (in safe mode) from C:\Windows\Downloaded Program Files both UDConnect Class ActiveX controls relating to sharedsource.org thus the following entries also no longer appear on HJT log:

O16 - DPF: {16A7470E-229C-45F9-AE05-A87034FD14CF} (UDConnect Class) - http://03.sharedsource.org/html/UDConn_5.2.1.3.cab?
O16 - DPF: {D62B5127-8D03-4175-BA71-E0041595DA4B} (UDConnect Class) - http://03.sharedsource.org/html/TriacomUD_1.0.0.3ie.cab?

-----

Latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 15:39:04, on 19-11-2006
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LXCGPPLS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRAMAS\ALCATEL\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAMAS\LEXMARK 2300 SERIES\LXCGMON.EXE
C:\PROGRAMAS\LEXMARK 2300 SERIES\EZPRINT.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMAS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = CLIX
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched,lxcgppls.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAMAS\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMAS\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAMAS\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O4 - HKLM\..\Run: [VerificarRegisto] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [MonitorTarefas] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Tabuleiro do sistema] SysTray.Exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programas\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [MaxProtector] C:\Programas\MaxProtector\MaxProtector.exe ontray
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\SYSTEM\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Programas\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Programas\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Programas\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1021.dll,InstantAccess
O4 - Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O4 - User Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://geo.sapo.pt/imp_cgi/mgaxctrl.cab

Edited by DeLuk, 19 November 2006 - 01:27 PM.


#9 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:07:23 PM

Posted 19 November 2006 - 01:33 PM

I ran msconfig to check out what was set to run on boot. As obvious there was an entry relating to p2esocks_1021.dll which was enabled:

Instant Access >>> rundll32.exe p2esocks_1021.dll,InstantAccess

However I could notice also a few other entries which, although disabled, I found to look suspicious?...

Instant Access >>> rundll32.exe EGCOMLIB_1035.dll,InstantAccess
100tosdefotospt-htm >>> RunDll32 UDConn.dll,RunAsIcon 100tosdefotos
milesdefotospt-htm >>> RunDll32 UDConn.dll,RunAsIcon milesdefotos
jsdmzqb >>> C:\Windows\jsdmzqb.exe
vypapsf >>> C:\Windows\vypapsf.exe
mtav >>> C:\Windows\mtav.exe

I disabled Instant Access >>> rundll32.exe p2esocks_1021.dll,InstantAccess on msconfig to confirm if that alone would make the error message on startup disappear, and indeed, after reboot, the error message did not appear.
Running msconfig again I noticed however that, after disabling that entry, the one Instant Access >>> rundll32.exe EGCOMLIB_1035.dll,InstantAccess had now disappeared from the msconfig boot list.
I re-enabled Instant Access >>> rundll32.exe p2esocks_1021.dll,InstantAccess again, to check if Instant Access >>> rundll32.exe EGCOMLIB_1035.dll,InstantAccess would then reappear on the list, but no, after reboot, it is not there anymore.
I left Instant Access >>> rundll32.exe p2esocks_1021.dll,InstantAccess enabled, as I don't know for sure if it's enough to just have it disabled in msconfig, of if I should rather have O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1021.dll,InstantAccess fixed in HJT?...

Next I made a search (having system and hidden files showing) for the files:

EGCOMLIB_1035.dll
UDConn.dll
C:\Windows\jsdmzqb.exe
C:\Windows\vypapsf.exe
C:\Windows\mtav.exe

Files C:\Windows\jsdmzqb.exe, C:\Windows\vypapsf.exe and C:\Windows\mtav.exe were not found anywhere in the computer.
Files EGCOMLIB_1035.dll as well as UDConn.dll were both found in C:\Windows\System.

Next I ran CWShredder (in safe mode), scan only at first, and it found nothing. Next (anyway) I ran the fix.

I then tried again to install CCleaner, and this time it worked alright; yet I only run a scan, but then didn't make the cleaning, as I noticed that one of the files set to be removed was C:\Windows\notepad.exe.bak, and since I read somewhere in some other forum that this backup of notepad.exe might be needed for replacing the infected one (?) so I became unsure and in the end I didn't run the cleaner. I wonder if I can though?... (As, if needed, I can also replace the infected notepad.exe with that from http://www.spywareinfo.com/~merijn/winfiles.php#notepad.exe, thus I don't necessarily need this notepad.exe.bak file in the end, do I?... Or?...)

Also I installed Avast antivirus (which I updated manually, as I had done before with both Ad-Aware and SpyBot, since I have no internet connection available for this infected computer here at home) just to run a scan (I did it in normal mode) just to see what it would find. (Afterwards I uninstalled it again.) Here's the report:

-----

* VPS: 0649-0, 15-11-2006
*

c:\WINDOWS\SYSTEM\netpe32.dll [L] Win32:Trojan-gen. {Other} (0)
c:\WINDOWS\SYSTEM\nethv32.dll [L] Win32:Dialer-AI [Trj] (0)
c:\WINDOWS\SYSTEM\scdata.dll [L] Win32:Dialer-gen. [Trj] (0)
c:\WINDOWS\SYSTEM\EGAUTH.dll [L] Win32:P2E-gen [Trj] (0)
c:\WINDOWS\SYSTEM\P2ECOM.dll [L] Win32:P2E-10 [Trj] (0)
c:\WINDOWS\NOTEPAD.EXE [L] Win32:Dialer-291 [Trj] (0)
c:\WINDOWS\Downloaded Program Files\CONFLICT.1\ISTactivex.dll [L] Win32:IstBar-G [Trj] (0)
c:\WINDOWS\Downloaded Program Files\adult1.exe [L] Win32:Dialer-gen13 [Trj] (0)
c:\WINDOWS\Q579591.exe [L] Win32:Dialer-K [Trj] (0)
c:\Programas\pl.exe [L] Win32:Trojano-141 [Trj] (0)

*
-----

I took no action on any of the infections reported. I wonder though, should I just install Avast again and safely have it quarentine (or delete?) each of those files (including notepad.exe) or?... Or should I just manually remove them all in safe mode or?... (Though I can't seem to find neither C:\WINDOWS\Downloaded Program Files\CONFLICT.1\ISTactivex.dll nor C:\WINDOWS\Downloaded Program Files\adult1.exe... Then again, I was curious about namely the file C:\Windows\Q579591.exe, since such Qxxxxxx.exe files are usually Windows related files, right? Yet, checking the properties of this one, it has no version tab, only the general tab; it's 9.998 bytes / 32.768 bytes used. I also can't seem to find any info regarding this particular file after Google searching. I suppose then that it must indeed be some malware/infected file, or?...)

One other doubt, going back to HJT log: can the following entry be safely fixed also?

O4 - HKLM\..\Run: [MaxProtector] C:\Programas\MaxProtector\MaxProtector.exe ontray

I also find reference to this MaxProtector.exe on msconfig boot list (there, it is enabled):

MaxProtector >>> C:\Programas\MaxProtector\MaxProtector.exe ontray

Yet there's no such program installed in the computer and neither such directory C:\Programas\MaxProtector exists, thus I wonder if I can just safely fix this entry in HJT?

And what more entries should I fix as well? In addition to O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1021.dll,InstantAccess, I believe at least this one R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.net/ should also be fixed, or?... And any other(s)?...

#10 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:07:23 PM

Posted 19 November 2006 - 01:42 PM

Here's also some facts after doing some searching over the registry (don't know how relevant any of this may be, but still):

In addition to EGCOMLIB_1035.dll, there are also references to EGCOMLIB_1031.dll and EGCOMLIB_1034.dll. Each of the three is found as key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/SYSTEM/EGCOMLIB_1035.dll (and EGCOMLIB_1031.dll and EGCOMLIB_1034.dll respectively)

And also as value under the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDLLs

Additionally I noticed that in the very same locations is found reference to the dll file P2ECOM.dll (which Avast had as well reported as infected).

Then again, I searched for the files EGCOMLIB_1031.dll and EGCOMLIB_1034.dll in the computer, yet neither of these two files were found.

I also searched the registry for netpe32.dll, nethv32.dll, scdata.dll and EGAUTH.dll, yet there is no reference to none of these four dll files.

As well I searched the registry for UDConn.dll and there are references to it in:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run-
HKEY_CLASSES_ROOT\CLSID\{16A7470E-229C-45f9-AE05-A87034FD14CF}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{16A7470E-229C-45f9-AE05-A87034FD14CF}\ToolboxBitmap32
HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{16A7470E-229C-45f9-AE05-A87034FD14CF}\InprocServer32
HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{16A7470E-229C-45f9-AE05-A87034FD14CF}\ToolboxBitmap32

I noticed that in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run- there was also reference to jsdmzqb.exe, vypapsf.exe and mtav.exe (those same files to which is also found reference in msconfig boot list), being that these, along with UDConn.dll (which appears there twice, associated with 100tosdefotospt-htm and milesdefotospt-htm) are the only values found under this key. (Also I find it odd such key, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run-?... I mean, is this \Run- key normal to be there at all, or?... In my Windows XP there's no such \Run- key anywhere, don't know if it's different in Windows 98 SE maybe?...) Then again, this key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run- is the only location in the registry where is found reference to each of the files jsdmzqb.exe, vypapsf.exe and mtav.exe, nowhere else in the registry there's reference to none of these files.

Also I noticed that this {16A7470E-229C-45f9-AE05-A87034FD14CF} corresponds to the ID of one of the UDConnect Class activex controls which I had previously uninstalled from C:\Windows\Downloaded Program Files, so I searched the registry also for the ID of the other UDConnect Class activex control which I had also uninstalled, {D62B5127-8D03-4175-BA71-E0041595DA4B}, and I found reference to it in similar locations:

HKEY_CLASSES_ROOT\CLSID\{D62B5127-8D03-4175-BA71-E0041595DA4B}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{D62B5127-8D03-4175-BA71-E0041595DA4B}\ToolboxBitmap32
HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{D62B5127-8D03-4175-BA71-E0041595DA4B}\InprocServer32
HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{D62B5127-8D03-4175-BA71-E0041595DA4B}\ToolboxBitmap32

I so checked which was the dll file associated with these registry entries; it's TriacomUD.dll.

I found further reference to TriacomUD.dll in the registry also in the keys:

HKEY_CLASSES_ROOT\TypeLib\{ED17A3F2-039B-4D88-B161-61E935ECA8BA}\1.0\0\win32
HKEY_LOCAL_MACHINE\Software\CLASSES\TypeLib\{ED17A3F2-039B-4D88-B161-61E935ECA8BA}\1.0\0\win32

Also I searched for TriacomUD.dll in the computer, and it's found in C:\Windows\System.

I so checked its properties, and the description for it is the same as for the file UDConn.dll, UDIS Unified Dial-In System, as so is the same the company name, Procom-Redes S.A.

Thus I wonder, if in the process for fixing the computer from its infections should eventually be required to delete the file UDConn.dll, should then the file TriacomUD.dll be deleted as well?

-----

I would very much appreciate any further guidance for resolving the problems found in my friend's infected computer, and thank you so much already, and once more, for your help and kind patience. :thumbsup:

-----

Three quicky doubts yet:

1) Should I eventually also try this automatic removal program for the InstantAccess infection?

http://www.spywareremove.com/removeInstantAccess.html

2) Should I reset the IE settings (IE > Tools > Internet Options > Advanced > restore definitions)?

3) Is it possible (and how) to remove those disabled entries from msconfig boot list? I mean, so that they don't appear in the list? Like these ones:

jsdmzqb >>> C:\Windows\jsdmzqb.exe
vypapsf >>> C:\Windows\vypapsf.exe
mtav >>> C:\Windows\mtav.exe

(Since the files they refer to don't actually even exist.) Can these be removed from appearing in the boot list (and how)?

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:23 PM

Posted 22 November 2006 - 04:16 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
I apologize for the delay getting to your log, the helpers here are very busy.

If you still need help, please post a fresh Hijackthis log, in this thread, so I can help you with your malware problems.
If you have resolved this issue please let us know.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:07:23 PM

Posted 23 November 2006 - 03:58 PM

Hi Sam, and thank you so much for replying. :thumbsup:

Below I will paste a fresh HJT log as you requested, as no, I have not yet resolved my issue, since, being this a computer which isn't my own and most importantly being this a company computer, I would very much appreciate expert assistance in dealing with whatever existing problems, for avoiding any risk of taking any wrong step on my own.

Then again, I would wish to ask 3 things in advance:

1) Can/Should I safely perform a cleanup with CCleaner at once (having it deleting inclusive the above mentioned notepad.exe.bak file)?

2) Should I run Mcafee Stinger in addition to all the previous scans/clenups made (Ad-Aware / SpyBot / CWShredder) seen that I haven't yet had the chance to run an online virus scan?

3) If I have the chance to next time have the infected computer connected to the internet, should I run Panda Activescan at once, prior to everything else?

Once again, thank you greatly, for any further help regarding this issue. :flowers:

And so here's the fresh HJT log:

-----

Logfile of HijackThis v1.99.1
Scan saved at 18:37:27, on 23-11-2006
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LXCGPPLS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMAS\ALCATEL\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAMAS\LEXMARK 2300 SERIES\LXCGMON.EXE
C:\PROGRAMAS\LEXMARK 2300 SERIES\EZPRINT.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMAS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = CLIX
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched,lxcgppls.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAMAS\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMAS\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAMAS\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O4 - HKLM\..\Run: [VerificarRegisto] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [MonitorTarefas] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Tabuleiro do sistema] SysTray.Exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programas\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [MaxProtector] C:\Programas\MaxProtector\MaxProtector.exe ontray
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\SYSTEM\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Programas\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Programas\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Programas\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1021.dll,InstantAccess
O4 - Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O4 - User Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://geo.sapo.pt/imp_cgi/mgaxctrl.cab

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:23 PM

Posted 23 November 2006 - 05:52 PM

1) Can/Should I safely perform a cleanup with CCleaner at once (having it deleting inclusive the above mentioned notepad.exe.bak file)?

No, it's not necessary at this time.

2) Should I run Mcafee Stinger in addition to all the previous scans/clenups made (Ad-Aware / SpyBot / CWShredder) seen that I haven't yet had the chance to run an online virus scan?

No, Stinger will not help you with this.

3) If I have the chance to next time have the infected computer connected to the internet, should I run Panda Activescan at once, prior to everything else?

We are going to run some online scans now.


Let's run through some scans first and see where that gets us.


Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Double-click sspsetup1.exe to install it.
  • Before installation it may ask you to check for program updates. Click YES.
    Then finish installation leaving all the default options.
  • Once the program is installed, it will ask if you wish to reboot now choose YES.
  • After reboot, open SpySweeper, by double-clicking the icon on your desktop.
  • Click Options on the left side.
  • Click the Sweep tab.
  • Under Items to Sweep make sure the following are checked:
    • Windows registry
    • Memory objects
    • Cookies
    • Compressed Files
    • System Restore Folder
  • Under Other Options make sure the following are checked:
    • Sweep all user accounts
    • Enable Direct Disk Sweeping
    • Sweep for rootkits
  • Click the Sweep button on the left side.
  • Click the Start Sweep button.
  • When it's done scanning, make sure everything has a check next to it, then click the Quarantine Selected button.
  • It will quarantine all of the items found.
  • Click View Session Log in the right corner above the box where the items are listed.
  • Click Save to File and save it on your desktop.
  • Exit SpySweeper.
  • Paste the contents of the session log you saved into your next reply (Spy Sweeper Session Log.txt).
  • NOTE: you can get to the log by clicking Options on the left. Then, View Session Log will be listed under Other Options.
==============



Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:07:23 PM

Posted 24 November 2006 - 06:32 AM

In regards to SpySweeper, just a doubt prior to running it, just to be sure: should I not worry for the minimum system requirements stated on WebRoot's site being Windows 2000, XP, XP Home or XP Media Center; and the computer in which it will run being Windows 98 SE?...

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:23 PM

Posted 24 November 2006 - 04:48 PM

You're right. The new version won't run on Windows 98.
Try this link to download an older version which should still work for you.

http://starjax.com/gtg/ssf-snr-c-setup1_1845356465.exe
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users