Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Having problem with Smit fraud.


  • This topic is locked This topic is locked
16 replies to this topic

#1 sabrashatila

sabrashatila

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 04 December 2006 - 10:49 PM

Hello,
I'm also having problem with Smit fraud.
Help is needed.
This is the highjackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 5:50:10 PM, on 12/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008
\GoogleToolbarNotifier.exe
C:\DOCUME~1\VALIDC~1\APPLIC~1\PPPATC~1\msconfig.exe
C:\Documents and Settings\VALID CUSTOMER\My Documents\?ssembly\w?
wexec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak
Software Updater.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\VALID CUSTOMER\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://news.bbc.co.uk/2/hi/americas/default.stm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName
=
R3 - URLSearchHook: (no name) - {9927C00F-5AB7-2532-9EAA-
5150A5F62AC7} - C:\WINDOWS\System32\zjojksm.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} -
C:\WINDOWS\System32\qdiwrpef.dll
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - (no
file)
O2 - BHO: (no name) - {6FE10F41-C9F7-9276-D18E-C16934ABDC95} -
C:\WINDOWS\System32\pajgvynn.dll (file missing)
O2 - BHO: (no name) - {78E97178-93B1-46C4-89D8-D503C5876BBE} -
C:\WINDOWS\System32\awvtt.dll (file missing)
O2 - BHO: (no name) - {9927C00F-5AB7-2532-9EAA-5150A5F62AC7} -
C:\WINDOWS\System32\zjojksm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-
CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {C577C608-0AB9-5633-9EDF-5450A7F22993} -
C:\WINDOWS\System32\lqpewn.dll (file missing)
O2 - BHO: (no name) - {DB9955E8-C85A-CEDA-7C71-CE891A5934CF} -
C:\WINDOWS\System32\cfdqezo.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} -
C:\WINDOWS\System32\eokcgute.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common
Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1
\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program
Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG
Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program
Files\Google\GoogleToolbarNotifier\1.2.908.5008
\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Ttel] "C:\DOCUME~1\VALIDC~1\APPLIC~1\PPPATC~1
\msconfig.exe" -vt ndrv
O4 - HKCU\..\Run: [Rearpejv] C:\Documents and Settings\VALID
CUSTOMER\My Documents\?ssembly\w?wexec.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program
Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program
Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program
Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software
Updater.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program
Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\syst1.dll C:\PROGRA~1
\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online,
Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown
owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. -
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman
Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown
owner - C:\WINDOWS\System32\msasvc.exe (file missing)


Mod Edit: This post has been moved to a more appropriate Forum.

Edited by Scarlett, 05 December 2006 - 12:13 AM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:47 AM

Posted 05 December 2006 - 01:47 AM

Hello,

I notice that you do not seem to be running Antivirus software and a Firewall. This is somewhat suicidal in today's digital world.
That's why I want you to install them first!!

Avira, AVG OR Avast OR Active Virus Shield (uncheck the Security Toolbar during install) are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decrease the reliability of it seriously!
Agnitum Outpost Free, ZoneAlarm Free OR Kerio are FREE firewalls.

Understanding and using firewalls

Perform a full scan with your antivirus and let it remove everything it is finding.
Reboot afterwards.

The current formatting of your Hijackthislog makes it difficult to read, so in notepad:
On top, click Format >uncheck Word Wrap

Then after performin the scan and reboot, post a new Hijackthislog in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 sabrashatila

sabrashatila
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 05 December 2006 - 08:02 PM

Hello,
I did what you said.
This is the new log:
Logfile of HijackThis v1.99.1
Scan saved at 7:53:47 PM, on 12/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\DOCUME~1\VALIDC~1\APPLIC~1\PPPATC~1\msconfig.exe
C:\Documents and Settings\VALID CUSTOMER\My Documents\?ssembly\w?wexec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Documents and Settings\VALID CUSTOMER\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AntiVir PersonalEdition Classic\update.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/2/hi/americas/default.stm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {9927C00F-5AB7-2532-9EAA-5150A5F62AC7} - C:\WINDOWS\System32\zjojksm.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\System32\qdiwrpef.dll
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - (no file)
O2 - BHO: (no name) - {6FE10F41-C9F7-9276-D18E-C16934ABDC95} - C:\WINDOWS\System32\pajgvynn.dll (file missing)
O2 - BHO: (no name) - {78E97178-93B1-46C4-89D8-D503C5876BBE} - C:\WINDOWS\System32\awvtt.dll (file missing)
O2 - BHO: (no name) - {9927C00F-5AB7-2532-9EAA-5150A5F62AC7} - C:\WINDOWS\System32\zjojksm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {C577C608-0AB9-5633-9EDF-5450A7F22993} - C:\WINDOWS\System32\lqpewn.dll (file missing)
O2 - BHO: (no name) - {DB9955E8-C85A-CEDA-7C71-CE891A5934CF} - C:\WINDOWS\System32\cfdqezo.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\System32\eokcgute.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Ttel] "C:\DOCUME~1\VALIDC~1\APPLIC~1\PPPATC~1\msconfig.exe" -vt ndrv
O4 - HKCU\..\Run: [Rearpejv] C:\Documents and Settings\VALID CUSTOMER\My Documents\?ssembly\w?wexec.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\syst1.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:47 AM

Posted 06 December 2006 - 02:54 AM

Hello,

It is important you don't miss a step and perform everything in the right order!!

Go to start > controlpanel > software > add/remove programs and uninstall next if present:

Oin
Yazzle by Oin
YazzleActiveX By OIN
Purityscan by Oin
Snowballwars by Oin
Cowabanga by OIN
or anything similar with Oin in it.


Reboot when done! Really important!

--------------------
After reboot....

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

R3 - URLSearchHook: (no name) - {9927C00F-5AB7-2532-9EAA-5150A5F62AC7} - C:\WINDOWS\System32\zjojksm.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\System32\qdiwrpef.dll
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - (no file)
O2 - BHO: (no name) - {6FE10F41-C9F7-9276-D18E-C16934ABDC95} - C:\WINDOWS\System32\pajgvynn.dll (file missing)
O2 - BHO: (no name) - {78E97178-93B1-46C4-89D8-D503C5876BBE} - C:\WINDOWS\System32\awvtt.dll (file missing)
O2 - BHO: (no name) - {9927C00F-5AB7-2532-9EAA-5150A5F62AC7} - C:\WINDOWS\System32\zjojksm.dll
O2 - BHO: (no name) - {C577C608-0AB9-5633-9EDF-5450A7F22993} - C:\WINDOWS\System32\lqpewn.dll (file missing)
O2 - BHO: (no name) - {DB9955E8-C85A-CEDA-7C71-CE891A5934CF} - C:\WINDOWS\System32\cfdqezo.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\System32\eokcgute.dll (file missing)
O4 - HKCU\..\Run: [Ttel] "C:\DOCUME~1\VALIDC~1\APPLIC~1\PPPATC~1\msconfig.exe" -vt ndrv
O4 - HKCU\..\Run: [Rearpejv] C:\Documents and Settings\VALID CUSTOMER\My Documents\?ssembly\w?wexec.exe
O20 - AppInit_DLLs: C:\WINDOWS\System32\syst1.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
Don't worry if some entries won't go away, we'll deal with that later...

---------------------

* Go to start > run and copy and paste next command in the field:

sc delete MsaSvc Hit enter

* Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~1\\GOEC62~1.DLL"

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Please download, install, and update AVG Anti-Spyware
  • Load AVG Anti-Spyware and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close AVG Anti-Spyware and reboot!!
    I need the log later.
-------------------------

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.
Post next logs in your following reply:
  • Log from combofix (combofix.txt)
  • Log from AVG Antispyware
  • New HijackThislog
You may need several replies to post the logs in case they won't fit in one reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 sabrashatila

sabrashatila
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 07 December 2006 - 12:25 AM

Thanks,
I didn't have time today to do this. I'll work on it tomorrow.
Thanks again.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:47 AM

Posted 07 December 2006 - 01:07 AM

Ok, just don't wait too long with this, because the longer you wait, the more malware that will be downloade and installed.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 sabrashatila

sabrashatila
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 07 December 2006 - 08:00 PM

Hi,
these are the logs:
Logfile of HijackThis v1.99.1
Scan saved at 19:53, on 06-12-07
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\VALID CUSTOMER\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/2/hi/americas/default.stm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe




---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:35:42 PM 12/7/2006

+ Scan result:



C:\Documents and Settings\VALID CUSTOMER\Desktop\backups\backup-20061207-183751-260.dll -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{8ED64A63-696D-4FD5-8352-85E9B3419F92}\RP64\A0070084.dll -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{8ED64A63-696D-4FD5-8352-85E9B3419F92}\RP65\A0070181.dll -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{8ED64A63-696D-4FD5-8352-85E9B3419F92}\RP66\A0070359.dll -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{8ED64A63-696D-4FD5-8352-85E9B3419F92}\RP67\A0070537.dll -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{8ED64A63-696D-4FD5-8352-85E9B3419F92}\RP68\A0070715.dll -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{8ED64A63-696D-4FD5-8352-85E9B3419F92}\RP69\A0070893.dll -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{8ED64A63-696D-4FD5-8352-85E9B3419F92}\RP75\A0075254.dll -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{8ED64A63-696D-4FD5-8352-85E9B3419F92}\RP86\A0078867.dll -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{8ED64A63-696D-4FD5-8352-85E9B3419F92}\RP85\A0078826.exe -> Downloader.PurityScan.dc : Cleaned.
C:\WINDOWS\system32\011152ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\11139532ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\11557652ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\1171712ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\12387342ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\1281872ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\1373592ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\14115312ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\14383122ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\14395782ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\15148592ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\16279062ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\16495622ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\1835782ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\18407502ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\1844782ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\20251402ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\20308432ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\21285782ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\2138782ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\22185002ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\23218752ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\2385932ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\24518592ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\25547182ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\2596402ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\26493902ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\2658752ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\26598282ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\27217652ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\28372502ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\2942342ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\30487652ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\3129682ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\320782ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\32184372ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\3274212ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\33427652ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\33554532ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\3377182ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\3414462ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\35429532ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\37376562ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\41132182ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\42543752ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\43516712ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\44337652ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\4476092ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\4512502ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\45374842ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\4648902ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\4664062ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\48181712ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\4818752ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\5019782ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\50262182ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\50555462ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\5128122ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\5332342ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\54593752ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\5468752ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\55227182ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\5562812ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\562462ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\5702502ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\57235152ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\5728782ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\59377032ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\6472812ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\835152ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\8397502ld.exe -> Proxy.Dlena.au : Cleaned.
C:\WINDOWS\system32\9343902ld.exe -> Proxy.Dlena.au : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@admarketplace[1].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@ehg-tekzoned.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@anat.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\VALID CUSTOMER\Cookies\valid customer@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.


::Report end

#8 sabrashatila

sabrashatila
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 07 December 2006 - 08:04 PM

Next log


VALID CUSTOMER - 06-12-07 19:44:37.06 Service Pack 1
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\VALID CUSTOMER\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{3028512A-04B0-1033-0307-050115040001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\VALID CUSTOMER\Application Data\PPPATC~1
C:\QooBox\Purity\Documents and Settings\VALID CUSTOMER\Application Data\TSKS~1
C:\QooBox\Purity\Documents and Settings\VALID CUSTOMER\Application Data\PPPATC~1\msconfig.exe
C:\QooBox\Purity\Documents and Settings\VALID CUSTOMER\Application Data\PPPATC~1\PPPATC~1
C:\QooBox\Purity\Documents and Settings\VALID CUSTOMER\Application Data\PPPATC~1\PPPATC~1\ctxad-515.0000
C:\QooBox\Purity\Documents and Settings\VALID CUSTOMER\Application Data\PPPATC~1\PPPATC~1\ctxad-515.0001
C:\QooBox\Purity\Documents and Settings\VALID CUSTOMER\Application Data\PPPATC~1\PPPATC~1\ctxad-515.0002
C:\QooBox\Purity\Documents and Settings\VALID CUSTOMER\Application Data\PPPATC~1\PPPATC~1\ctxad-515.0003
C:\QooBox\Purity\Documents and Settings\VALID CUSTOMER\Application Data\PPPATC~1\PPPATC~1\ctxad-515.0004
C:\QooBox\Purity\Documents and Settings\VALID CUSTOMER\Application Data\PPPATC~1\PPPATC~1\ctxad-515.0005
C:\QooBox\Purity\Documents and Settings\VALID CUSTOMER\My Documents\SSEMBL~1
C:\QooBox\Purity\Documents and Settings\VALID CUSTOMER\My Documents\SSEMBL~1\w?wexec.exe
C:\QooBox\Purity\Program Files\ECURIT~1
C:\QooBox\Purity\Program Files\MANTEC~1
C:\QooBox\Purity\Program Files\SKS~1
C:\QooBox\Purity\Program Files\MANTEC~1\wuauclt.exe
C:\QooBox\Purity\Program Files\MANTEC~1\??mantec
C:\QooBox\Purity\WINDOWS\APPATC~1
C:\QooBox\Purity\WINDOWS\WNSXS~1
C:\QooBox\Purity\WINDOWS\APPATC~1\w?nlogon.exe
C:\QooBox\Purity\WINDOWS\system32\MBOLS~1


((((((((((((((((((((((((((((((( Files Created from 2006-11-07 to 2006-12-07 ))))))))))))))))))))))))))))))))))


2006-12-07 19:39 30,208 --a------ C:\WINDOWS\system32\39367962ld.exe
2006-12-07 19:36 30,208 --a------ C:\WINDOWS\system32\36207342ld.exe
2006-12-05 19:11 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2006-12-05 19:11 <DIR> d-------- C:\Program Files\Zone Labs
2006-12-05 19:03 <DIR> d-------- C:\WINDOWS\Internet Logs
2006-12-05 18:44 57,384 --a------ C:\WINDOWS\system32\avsda.dll
2006-12-05 18:44 32,768 --a------ C:\WINDOWS\system32\drivers\avgntdd.sys
2006-12-05 18:44 14,848 --a------ C:\WINDOWS\system32\drivers\avgntmgr.sys
2006-12-05 18:44 <DIR> d-------- C:\Program Files\AntiVir PersonalEdition Classic
2006-12-05 18:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2006-12-03 20:39 <DIR> d--h----- C:\WINDOWS\PIF
2006-12-03 20:34 <DIR> d-------- C:\Program Files\HijackThis
2006-12-03 20:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2006-12-03 20:07 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-12-03 20:00 <DIR> d-------- C:\WINDOWS\Sun
2006-12-03 20:00 <DIR> d-------- C:\Documents and Settings\VALID CUSTOMER\Application Data\Sun
2006-12-03 20:00 <DIR> d-------- C:\Documents and Settings\VALID CUSTOMER\.housecall6.6
2006-12-02 21:32 1,634 --a------ C:\WINDOWS\system32\tmp.reg
2006-12-02 15:29 45,056 --a------ C:\command.exe
2006-11-30 21:57 <DIR> d--hs---- C:\WINDOWS\CSC
2006-11-27 12:04 88,340 --a------ C:\WINDOWS\system32\iwfeeira.exe
2006-11-23 09:01 38,420 --a------ C:\WINDOWS\system32\jjjukhym.dll
2006-11-20 21:59 <DIR> d-------- C:\WINDOWS\Minidump
2006-11-20 21:56 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-20 21:55 <DIR> d-------- C:\Program Files\Grisoft
2006-11-20 19:19 30,208 --a------ C:\WINDOWS\system32\rpcc.dll
2006-11-19 18:48 137 --a-s---- C:\WINDOWS\test.bat
2006-11-17 21:28 <DIR> d-------- C:\Program Files\Lavasoft
2006-11-16 19:40 64,512 --a------ C:\WINDOWS\system32\PTPITCP.dll
2006-11-16 19:40 294,912 --a------ C:\WINDOWS\system32\KPDPM.dll
2006-11-16 19:40 225,280 --a------ C:\WINDOWS\system32\KPDPMUI.dll
2006-11-16 19:40 <DIR> d-------- C:\WINDOWS\system32\BWKDLogs
2006-11-16 19:39 <DIR> d-------- C:\WINDOWS\system32\color
2006-11-16 19:39 <DIR> d-------- C:\Program Files\Common Files\Kodak
2006-11-16 19:39 <DIR> d-------- C:\KPCMS
2006-11-16 19:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kodak
2006-11-16 19:33 <DIR> d-------- C:\Program Files\Kodak


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-12-07 19:45 -------- d-------- C:\Program Files\Common Files
2006-12-04 12:44 -------- d-------- C:\Program Files\QuickTime
2006-12-03 21:12 -------- d-------- C:\Program Files\Pure Networks
2006-12-03 20:07 -------- d-------- C:\Program Files\Internet Explorer
2006-12-03 19:32 -------- d-------- C:\Program Files\Common Files\AOL
2006-11-27 12:38 45056 --a------ C:\WINDOWS\system32\regapi.exe
2006-11-20 23:04 -------- d-------- C:\Program Files\LimeWire
2006-11-20 19:41 -------- d-------- C:\Program Files\America Online 9.0a
2006-11-04 11:49 -------- d-------- C:\Documents and Settings\VALID CUSTOMER\Application Data\LimeWire
2006-11-04 11:22 -------- d-------- C:\Program Files\Java
2006-11-04 11:19 -------- d-------- C:\Program Files\Common Files\Java
2006-10-30 21:28 -------- d-------- C:\Program Files\SiSLan
2006-10-30 21:24 -------- d-------- C:\Program Files\C-Media 3D Audio
2006-10-30 21:20 -------- d-------- C:\Program Files\SiS VGA Utilities V3.62
2006-10-30 21:19 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-30 21:15 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-10-30 20:13 -------- d-------- C:\Documents and Settings\VALID CUSTOMER\Application Data\Google
2006-10-30 20:00 -------- d-------- C:\Program Files\Google
2006-10-30 19:58 -------- d-------- C:\Documents and Settings\VALID CUSTOMER\Application Data\Real
2006-10-30 19:37 -------- d-------- C:\Program Files\Common Files\xing shared
2006-10-30 19:37 -------- d-------- C:\Program Files\Common Files\Real
2006-10-30 19:30 -------- d---s---- C:\Documents and Settings\VALID CUSTOMER\Application Data\Microsoft
2006-10-29 19:30 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-10-09 13:15 -------- d-------- C:\Documents and Settings\VALID CUSTOMER\Application Data\Macromedia
2006-10-09 13:10 -------- d-------- C:\Program Files\AOL Companion


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"SiSPower"="Rundll32.exe SiSPower.dll,ModeAgent"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-12-07 19:46:05.32
C:\ComboFix.txt ... 06-12-07 19:46

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:47 AM

Posted 07 December 2006 - 08:22 PM

Hello,

You still have some nasty infections present there. :thumbsup:
Please perform my next steps in the right order!!

Download
http://www.uploads.ejvindh.net/rustbfix.exe
...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). I need those logs later.

Then, * Download Killbox.
Click killbox.exe.
Select the option "Delete on reboot".
Click the button: All Files (!important!)
Now it should flash green.

Now copy the next bold part:

C:\WINDOWS\system32\rpcc.dll
C:\WINDOWS\system32\39367962ld.exe
C:\WINDOWS\system32\36207342ld.exe
C:\command.exe
C:\WINDOWS\system32\iwfeeira.exe
C:\WINDOWS\system32\jjjukhym.dll
C:\WINDOWS\test.bat
C:\WINDOWS\system32\regapi.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.

Your computer should reboot now.

After reboot,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 10.
  • Scroll down to where it says "Java Runtime Environment (JRE) 5.0 Update 10".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-1_5_0_10-windows-i586-p.exe to install the newest version.
* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click "Delete".
  • Click "Delete Files", "Delete cookies" and "Delete history"
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Post next logs in your following reply:
  • New Hijackthislog
  • C:\rustbfix\pelog.txt
  • C:\Avenger.txt
  • New Combofix log (so rescan with combofix

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 sabrashatila

sabrashatila
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 08 December 2006 - 09:54 PM

Hello,
Here we go again:
Logfile of HijackThis v1.99.1
Scan saved at 21:44, on 06-12-08
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\VALID CUSTOMER\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/2/hi/americas/default.stm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


************************* Rustock.b-fix -- By ejvindh *************************
06-12-08 20:40:07.59


******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....
Examine the Avenger-logfile in order to assess the success of the unload-procedure

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 70724
Total size: 70724 bytes.
Attempting to remove ADS...
system32: deleted 70724 bytes in 1 streams.


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No streams found.



Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tvdftoel

*******************

Script file located at: \??\C:\tjivuyss.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

******************************* End of Logfile ********************************

VALID CUSTOMER - 06-12-08 21:48:50.32 Service Pack 1
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\VALID CUSTOMER\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\VALID CUSTOMER\Application Data\PPPATC~1
C:\QooBox\Purity\Documents and Settings\VALID CUSTOMER\Application Data\TSKS~1
C:\QooBox\Purity\Documents and Settings\VALID CUSTOMER\Application Data\PPPATC~1\msconfig.exe
C:\QooBox\Purity\Documents and Settings\VALID CUSTOMER\Application Data\PPPATC~1\PPPATC~1
C:\QooBox\Purity\Documents and Settings\VALID CUSTOMER\Application Data\PPPATC~1\PPPATC~1\ctxad-515.0000
C:\QooBox\Purity\Documents and Settings\VALID CUSTOMER\Application Data\PPPATC~1\PPPATC~1\ctxad-515.0001
C:\QooBox\Purity\Documents and Settings\VALID CUSTOMER\Application Data\PPPATC~1\PPPATC~1\ctxad-515.0002
C:\QooBox\Purity\Documents and Settings\VALID CUSTOMER\Application Data\PPPATC~1\PPPATC~1\ctxad-515.0003
C:\QooBox\Purity\Documents and Settings\VALID CUSTOMER\Application Data\PPPATC~1\PPPATC~1\ctxad-515.0004
C:\QooBox\Purity\Documents and Settings\VALID CUSTOMER\Application Data\PPPATC~1\PPPATC~1\ctxad-515.0005
C:\QooBox\Purity\Documents and Settings\VALID CUSTOMER\My Documents\SSEMBL~1
C:\QooBox\Purity\Documents and Settings\VALID CUSTOMER\My Documents\SSEMBL~1\w?wexec.exe
C:\QooBox\Purity\Program Files\ECURIT~1
C:\QooBox\Purity\Program Files\MANTEC~1
C:\QooBox\Purity\Program Files\SKS~1
C:\QooBox\Purity\Program Files\MANTEC~1\wuauclt.exe
C:\QooBox\Purity\Program Files\MANTEC~1\??mantec
C:\QooBox\Purity\WINDOWS\APPATC~1
C:\QooBox\Purity\WINDOWS\WNSXS~1
C:\QooBox\Purity\WINDOWS\APPATC~1\w?nlogon.exe
C:\QooBox\Purity\WINDOWS\system32\MBOLS~1


((((((((((((((((((((((((((((((( Files Created from 2006-11-07 to 2006-12-07 ))))))))))))))))))))))))))))))))))


2006-12-08 21:22 <DIR> d-------- C:\Program Files\Java
2006-12-08 21:22 <DIR> d-------- C:\Program Files\Common Files\Java
2006-12-08 21:02 <DIR> d-------- C:\Documents and Settings\VALID CUSTOMER\.SunDownloadManager
2006-12-08 20:49 <DIR> d-------- C:\!KillBox
2006-12-08 20:43 <DIR> d-------- C:\avenger
2006-12-08 20:40 <DIR> d-------- C:\Rustbfix
2006-12-08 20:39 30,208 --a------ C:\WINDOWS\system32\395782ld.exe
2006-12-08 20:22 30,208 --a------ C:\WINDOWS\system32\2232652ld.exe
2006-12-08 19:45 30,208 --a------ C:\WINDOWS\system32\45486252ld.exe
2006-12-08 18:32 30,208 --a------ C:\WINDOWS\system32\32584842ld.exe
2006-12-08 14:55 30,208 --a------ C:\WINDOWS\system32\5515152ld.exe
2006-12-08 10:43 30,208 --a------ C:\WINDOWS\system32\43229532ld.exe
2006-12-08 08:55 30,208 --a------ C:\WINDOWS\system32\5538122ld.exe
2006-12-07 22:01 30,208 --a------ C:\WINDOWS\system32\1388122ld.exe
2006-12-07 21:48 30,208 --a------ C:\WINDOWS\system32\48381562ld.exe
2006-12-07 21:36 30,208 --a------ C:\WINDOWS\system32\36224372ld.exe
2006-12-07 21:20 30,208 --a------ C:\WINDOWS\system32\20112342ld.exe
2006-12-07 21:09 30,208 --a------ C:\WINDOWS\system32\9517032ld.exe
2006-12-07 20:59 30,208 --a------ C:\WINDOWS\system32\59266252ld.exe
2006-12-07 20:48 30,208 --a------ C:\WINDOWS\system32\4845782ld.exe
2006-12-07 20:37 30,208 --a------ C:\WINDOWS\system32\37154062ld.exe
2006-12-07 20:25 30,208 --a------ C:\WINDOWS\system32\2586092ld.exe
2006-12-07 20:10 30,208 --a------ C:\WINDOWS\system32\10264212ld.exe
2006-12-07 19:59 30,208 --a------ C:\WINDOWS\system32\59448122ld.exe
2006-12-07 19:50 30,208 --a------ C:\WINDOWS\system32\5016312ld.exe
2006-12-05 19:11 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2006-12-05 19:11 <DIR> d-------- C:\Program Files\Zone Labs
2006-12-05 19:03 <DIR> d-------- C:\WINDOWS\Internet Logs
2006-12-05 18:44 57,384 --a------ C:\WINDOWS\system32\avsda.dll
2006-12-05 18:44 32,768 --a------ C:\WINDOWS\system32\drivers\avgntdd.sys
2006-12-05 18:44 14,848 --a------ C:\WINDOWS\system32\drivers\avgntmgr.sys
2006-12-05 18:44 <DIR> d-------- C:\Program Files\AntiVir PersonalEdition Classic
2006-12-05 18:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2006-12-03 20:39 <DIR> d--h----- C:\WINDOWS\PIF
2006-12-03 20:34 <DIR> d-------- C:\Program Files\HijackThis
2006-12-03 20:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2006-12-03 20:07 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-12-03 20:00 <DIR> d-------- C:\WINDOWS\Sun
2006-12-03 20:00 <DIR> d-------- C:\Documents and Settings\VALID CUSTOMER\Application Data\Sun
2006-12-03 20:00 <DIR> d-------- C:\Documents and Settings\VALID CUSTOMER\.housecall6.6
2006-12-02 21:32 1,634 --a------ C:\WINDOWS\system32\tmp.reg
2006-11-30 21:57 <DIR> d--hs---- C:\WINDOWS\CSC
2006-11-20 21:59 <DIR> d-------- C:\WINDOWS\Minidump
2006-11-20 21:56 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-20 21:55 <DIR> d-------- C:\Program Files\Grisoft
2006-11-17 21:28 <DIR> d-------- C:\Program Files\Lavasoft
2006-11-16 19:40 64,512 --a------ C:\WINDOWS\system32\PTPITCP.dll
2006-11-16 19:40 294,912 --a------ C:\WINDOWS\system32\KPDPM.dll
2006-11-16 19:40 225,280 --a------ C:\WINDOWS\system32\KPDPMUI.dll
2006-11-16 19:40 <DIR> d-------- C:\WINDOWS\system32\BWKDLogs
2006-11-16 19:39 <DIR> d-------- C:\WINDOWS\system32\color
2006-11-16 19:39 <DIR> d-------- C:\Program Files\Common Files\Kodak
2006-11-16 19:39 <DIR> d-------- C:\KPCMS
2006-11-16 19:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kodak
2006-11-16 19:33 <DIR> d-------- C:\Program Files\Kodak


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-08 21:22 -------- d-------- C:\Program Files\Common Files
2006-12-04 12:44 -------- d-------- C:\Program Files\QuickTime
2006-12-03 21:12 -------- d-------- C:\Program Files\Pure Networks
2006-12-03 20:07 -------- d-------- C:\Program Files\Internet Explorer
2006-12-03 19:32 -------- d-------- C:\Program Files\Common Files\AOL
2006-11-20 23:04 -------- d-------- C:\Program Files\LimeWire
2006-11-20 19:41 -------- d-------- C:\Program Files\America Online 9.0a
2006-11-04 11:49 -------- d-------- C:\Documents and Settings\VALID CUSTOMER\Application Data\LimeWire
2006-10-30 21:28 -------- d-------- C:\Program Files\SiSLan
2006-10-30 21:24 -------- d-------- C:\Program Files\C-Media 3D Audio
2006-10-30 21:20 -------- d-------- C:\Program Files\SiS VGA Utilities V3.62
2006-10-30 21:19 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-30 21:15 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-10-30 20:13 -------- d-------- C:\Documents and Settings\VALID CUSTOMER\Application Data\Google
2006-10-30 20:00 -------- d-------- C:\Program Files\Google
2006-10-30 19:58 -------- d-------- C:\Documents and Settings\VALID CUSTOMER\Application Data\Real
2006-10-30 19:37 -------- d-------- C:\Program Files\Common Files\xing shared
2006-10-30 19:37 -------- d-------- C:\Program Files\Common Files\Real
2006-10-30 19:30 -------- d---s---- C:\Documents and Settings\VALID CUSTOMER\Application Data\Microsoft
2006-10-29 19:30 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-10-09 13:15 -------- d-------- C:\Documents and Settings\VALID CUSTOMER\Application Data\Macromedia
2006-10-09 13:10 -------- d-------- C:\Program Files\AOL Companion


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"SiSPower"="Rundll32.exe SiSPower.dll,ModeAgent"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-12-08 21:49:34.53
C:\ComboFix.txt ... 06-12-08 21:49
C:\ComboFix2.txt ... 06-12-07 19:46

#11 sabrashatila

sabrashatila
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 08 December 2006 - 09:56 PM

I have to say that I had problems when I went to open java.
If you see anything strange let me know.
Thanks

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:47 AM

Posted 09 December 2006 - 01:17 AM

Hello,

I see that your Java got installed properly after all... It shows the nex version in your log :thumbsup:

Delete next files:

C:\WINDOWS\system32\395782ld.exe
C:\WINDOWS\system32\2232652ld.exe
C:\WINDOWS\system32\45486252ld.exe
C:\WINDOWS\system32\32584842ld.exe
C:\WINDOWS\system32\5515152ld.exe
C:\WINDOWS\system32\43229532ld.exe
C:\WINDOWS\system32\5538122ld.exe
C:\WINDOWS\system32\1388122ld.exe
C:\WINDOWS\system32\48381562ld.exe
C:\WINDOWS\system32\36224372ld.exe
C:\WINDOWS\system32\20112342ld.exe
C:\WINDOWS\system32\9517032ld.exe
C:\WINDOWS\system32\59266252ld.exe
C:\WINDOWS\system32\4845782ld.exe
C:\WINDOWS\system32\37154062ld.exe
C:\WINDOWS\system32\2586092ld.exe
C:\WINDOWS\system32\10264212ld.exe
C:\WINDOWS\system32\59448122ld.exe
C:\WINDOWS\system32\5016312ld.exe

It *could be possible that some new ones are present there as well - so delete them. you'll easily recognise them, they start with a number and end on 2ld.exe

Then empty your recycle bin again.

As a final checkup, I also want you to perform next:

Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found - if found, so don't worry it tells that there were no files found.
In case hidden files were found, Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 sabrashatila

sabrashatila
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 09 December 2006 - 09:15 PM

Hi,
This is the log

12/09/06 20:59:38 [Info]: BlackLight Engine 1.0.47 initialized
12/09/06 20:59:38 [Info]: OS: 5.1 build 2600 (Service Pack 1)
12/09/06 20:59:47 [Note]: 7019 4
12/09/06 20:59:47 [Note]: 7005 0
12/09/06 21:00:16 [Note]: 7006 0
12/09/06 21:00:16 [Note]: 7011 1172
12/09/06 21:00:18 [Note]: 7026 0
12/09/06 21:00:20 [Note]: 7026 0
12/09/06 21:01:21 [Note]: FSRAW library version 1.7.1020
12/09/06 21:03:46 [Note]: 2000 1012
12/09/06 21:04:35 [Note]: 7007 0


On another subject, I keep having alerts from Zone Alarm Security Alert saying that Anti-Spyware is trying to access the internet (application avgas.exe)

should I allow the change?
Do I have security systems that are in conflict?
Which ones should I keep?

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:47 AM

Posted 10 December 2006 - 03:10 AM

Hello;

I keep having alerts from Zone Alarm Security Alert saying that Anti-Spyware is trying to access the internet (application avgas.exe)

Yes, allow it, because it's from your AVG Antispyware.

Do I have security systems that are in conflict?

No, because you only have one Antivirus (Avira) and one Firewall (Zonealarm), so in case you had more than one of them, they would conflict.
AVG Antispyware and AOL Spyware Protection are antispyware tools and do not conflict with an Antivirus and Firewall.

How are things running now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 sabrashatila

sabrashatila
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 10 December 2006 - 10:17 AM

Things are running good.
Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users