Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-c Toolbar888 And Smitfraud Persistent Infections


  • This topic is locked This topic is locked
10 replies to this topic

#1 candyflip

candyflip

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 AM

Posted 30 January 2007 - 12:09 AM

Hi there,

I've only just picked up (last 2 days) a persistent SmithFraud infection. I also had an Italian dialler program problem for awhile, but that seems to have been fixed after following some advice I've seen here on the forums to others and installing AdAware, Spybot, AVG Anti-spyware, SpyWareBlaster, Stinger and so forth. But the end of my capabilities diagnosticaly appear to have been reached. The SmithFraud infection persists, after 4 hours of attempts today to get rid of it. :thumbsup:

I have a Hijackthis log file here:

Logfile of HijackThis v1.99.1
Scan saved at 3:52:15 PM, on 30/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\v6.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\{14E3B5E9-06C1-1033-1214-05033120003d}\Update.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Telstra\OnlineTextBuddy\OnlineTextBuddy.exe
C:\WINDOWS\APPATC~1\spool32.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\HJT\KITTEN.COM

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pc.support.global.toshiba.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://mws-stat-syd.cdn.telstra.com.au/uatb-proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.0.2:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A0352F96-E200-B7D5-0623-ED1BC5071491} - C:\WINDOWS\system32\vot.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1115B9BB-5E3B-41DB-A244-5C1F0DFF2136} - C:\WINDOWS\system32\ljjgeec.dll
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\qxtnsvtl.dll
O2 - BHO: (no name) - {A0352F96-E200-B7D5-0623-ED1BC5071491} - C:\WINDOWS\system32\vot.dll
O2 - BHO: (no name) - {C4004CCD-4F93-46D9-A090-6EC6BC9B4133} - C:\WINDOWS\system32\ddayv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [LaunchApp] launchapp
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
O4 - HKLM\..\Run: [pnwvawj.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Rental1\Local Settings\Application Data\pnwvawj.dll",olexgd
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\golnaetg.dll",setvm
O4 - HKLM\..\Run: [{14E3B5E9-06C1-1033-1214-05033120003d}] "C:\Program Files\Common Files\{14E3B5E9-06C1-1033-1214-05033120003d}\Update.exe" mc-110-12-0000272
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OnlineTextBuddy] C:\Program Files\Telstra\OnlineTextBuddy\OnlineTextBuddy.exe /quiet
O4 - HKCU\..\Run: [Esrm] "C:\WINDOWS\APPATC~1\spool32.exe" -vt yazb
O4 - HKCU\..\Run: [Vdzncvkw] "C:\WINDOWS\system32\?dobe\m?hta.exe" 99001162
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2007\spy.htm
O8 - Extra context menu item: SnipeIt! eSnipe - http://www.esnipe.com/SnipeIt/SnipeItOpen3.asp
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2007\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2007\spy.htm
O16 - DPF: {CDBD9968-7BF1-11D4-9D36-0001029DEBEB} (Loader Class) - https://testdirector.telstra.com.au/tdbin/Spider.ocx
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.westpac.com.au/wtoa/wtOtherA...iomanagerwt.cab
O20 - Winlogon Notify: ddayv - C:\WINDOWS\system32\ddayv.dll
O20 - Winlogon Notify: ljjgeec - C:\WINDOWS\SYSTEM32\ljjgeec.dll
O20 - Winlogon Notify: winjyg32 - C:\WINDOWS\SYSTEM32\winjyg32.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe


I can vouch for the following by the way, if that helps:

O4 - HKCU\..\Run: [OnlineTextBuddy] C:\Program Files\Telstra\OnlineTextBuddy\OnlineTextBuddy.exe /quiet
O8 - Extra context menu item: SnipeIt! eSnipe - http://www.esnipe.com/SnipeIt/SnipeItOpen3.asp
O16 - DPF: {CDBD9968-7BF1-11D4-9D36-0001029DEBEB} (Loader Class) - https://testdirector.telstra.com.au/tdbin/Spider.ocx
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.westpac.com.au/wtoa/wtOtherA...iomanagerwt.cab

I'd appreciate any help you can send my way.

cheers

candyflip

BC AdBot (Login to Remove)

 


#2 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:13 PM

Posted 30 January 2007 - 03:04 AM

Hi -

You have several nasty infections, so this will take several steps to clean. So I don't repeat myself, please follow my directions in the order stated - this is very important.

You will need to print these directions because you will be working in Safe Mode without an Internet connection.

• Please set your system to show all files.
- Go to Start > open My Computer
- Select the Tools menu and click Folder Options.
- Select the View tab and, under Hidden files and folders, select Show hidden files and folders
- Uncheck Hide file extensions for known file types
- Uncheck Hide protected operating system files (Recommended)
- Click Apply, then OK

• Navigate to and delete the following folder:
C:\Program Files\Common Files\{14E3B5E9-06C1-1033-1214-05033120003d}
Note: If you have problems deleting the folder, boot into Safe Mode by restarting your computer and, just before Windows starts to load, tap the F8 key a few times. Choose Safe Mode from the menu that will appear and press Enter - then delete the folder.

• If you had to go into Safe Mode, reboot your computer into Normal Mode.

• Open HijackThis, click Open the Misc Toos section, then click Delete a file on bootup
- a window will open
- Where it says "File Name" - copy and paste: C:\WINDOWS\SYSTEM32\winjyg32.dll
- Click Open
- A prompt will appear advising you that the file will be deleted and asking if you want to reboot now
- Click Yes
- Your computer will now reboot.

• Please download VundoFix.exe and save it to your Desktop.
- Double-click VundoFix.exe to run it
- Click the Scan for Vundo button
- Once it is done scanning, click the Remove Vundo button
- You will receive a prompt asking if you want to remove the files
- Click YES
- Once you click YES, your Desktop will go blank as it starts removing Vundo
- When completed, it will prompt that it will reboot your computer
- Click OK

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, so simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

Once VundoFix has completed scanning, please do not run it again.
If you run it more than one time, you will overwrite the original log generated when it was run the first time.

• Download SDFix and save it to your Desktop.
- Please then reboot your computer in Safe Mode.
  • In Safe Mode, right-click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back in your next reply.

• Post back with the contents of C:\vundofix.txt, Report.txt and a new HijackThis log.

Edited by waterfalls, 30 January 2007 - 03:04 AM.

Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#3 candyflip

candyflip
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 AM

Posted 30 January 2007 - 08:02 PM

Hi waterfalls,

Thanks very much for your help. Please post a PayPal link when this is all done with, and I'll oblige with a little something towards your next Broadband bill. :thumbsup:

Here are the logs requested (no problems encountered when running any of the above advice, BTW).

First Vundo:


VundoFix V6.3.5

Checking Java version...

Java version is 1.5.0.2

Scan started at 12:03:08 PM 30/01/2007

Listing files found while scanning....

C:\WINDOWS\system32\awtst.dll
C:\WINDOWS\system32\efccbyv.dll
C:\WINDOWS\system32\jkjsrnpy.dll
C:\WINDOWS\system32\lxhnvpqm.exe
C:\WINDOWS\system32\mljhhhi.dll
C:\WINDOWS\system32\nnnkjif.dll
C:\WINDOWS\system32\tstwa.bak1
C:\WINDOWS\system32\tstwa.ini
C:\WINDOWS\system32\youcnlsj.dll
C:\WINDOWS\system32\ypnrsjkj.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awtst.dll
C:\WINDOWS\system32\awtst.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\efccbyv.dll
C:\WINDOWS\system32\efccbyv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkjsrnpy.dll
C:\WINDOWS\system32\jkjsrnpy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\lxhnvpqm.exe
C:\WINDOWS\system32\lxhnvpqm.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljhhhi.dll
C:\WINDOWS\system32\mljhhhi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nnnkjif.dll
C:\WINDOWS\system32\nnnkjif.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tstwa.bak1
C:\WINDOWS\system32\tstwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\tstwa.ini
C:\WINDOWS\system32\tstwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\youcnlsj.dll
C:\WINDOWS\system32\youcnlsj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ypnrsjkj.ini
C:\WINDOWS\system32\ypnrsjkj.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.5

Checking Java version...

Java version is 1.5.0.2

Scan started at 11:33:28 AM 31/01/2007

Listing files found while scanning....

C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\golnaetg.dll
C:\WINDOWS\system32\gteanlog.ini
C:\WINDOWS\system32\ljjgeec.dll
C:\WINDOWS\system32\qxtnsvtl.dll
C:\WINDOWS\system32\tnucokmo.exe
C:\WINDOWS\system32\vyadd.bak1
C:\WINDOWS\system32\vyadd.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\ddayv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\golnaetg.dll
C:\WINDOWS\system32\golnaetg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gteanlog.ini
C:\WINDOWS\system32\gteanlog.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljjgeec.dll
C:\WINDOWS\system32\ljjgeec.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qxtnsvtl.dll
C:\WINDOWS\system32\qxtnsvtl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tnucokmo.exe
C:\WINDOWS\system32\tnucokmo.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\vyadd.bak1
C:\WINDOWS\system32\vyadd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\vyadd.ini
C:\WINDOWS\system32\vyadd.ini Has been deleted!

Performing Repairs to the registry.
Done!



Now SDFIX.txt:


SDFix: Version 1.63

Wed 31/01/2007 - 11:51:22.10

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
COM+ Messages

Path:
"C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272

COM+ Messages Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\Temp\win41.tmp.exe - Deleted
C:\WINDOWS\Temp\win48.tmp.exe - Deleted
C:\WINDOWS\Temp\win4B.tmp.exe - Deleted
C:\WINDOWS\Temp\win51.tmp.exe - Deleted
C:\WINDOWS\system32\unsvchosts.lzma - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted
C:\WINDOWS\Temp\win*.tmp - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"C:\\WINDOWS\\TEMP\\win34.tmp.exe"="C:\\WINDOWS\\TEMP\\win34.tmp.exe:*:Enabled:win34.tmp"
"C:\\WINDOWS\\TEMP\\win4F.tmp.exe"="C:\\WINDOWS\\TEMP\\win4F.tmp.exe:*:Enabled:win4F.tmp"
"C:\\WINDOWS\\TEMP\\win60.tmp.exe"="C:\\WINDOWS\\TEMP\\win60.tmp.exe:*:Enabled:win60.tmp"
"C:\\WINDOWS\\TEMP\\win4D.tmp.exe"="C:\\WINDOWS\\TEMP\\win4D.tmp.exe:*:Enabled:win4D.tmp"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\Documents and Settings\Rental1\My Documents\Technicians Folder\Printers\2420N\hpb2KUtl.dll
C:\Documents and Settings\Rental1\My Documents\Technicians Folder\Printers\2420N\hpbicore.dll
C:\Documents and Settings\Rental1\My Documents\Technicians Folder\Printers\2420N\hpbicoui.dll
C:\Documents and Settings\Rental1\My Documents\Technicians Folder\Printers\2420N\hpbicstat.dll
C:\Documents and Settings\Rental1\My Documents\Technicians Folder\Printers\2420N\hpbinsin.dll
C:\Documents and Settings\Rental1\My Documents\Technicians Folder\Printers\2420N\hpbinsmg.dll
C:\Documents and Settings\Rental1\My Documents\Technicians Folder\Printers\2420N\hpbisep.dll
C:\Documents and Settings\Rental1\My Documents\Technicians Folder\Printers\2420N\mfc42.dll
C:\Documents and Settings\Rental1\My Documents\Technicians Folder\Printers\2420N\msvcrt.dll
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\QooBox\Purity\Program Files\STEM~1\winlogon.exe
C:\QooBox\Purity\WINDOWS\system32\DOBE~1\m?hta.exe
C:\System Volume Information\_restore{8722AF54-43D8-4284-A187-D87CE121AC98}\RP72\A0007918.exe
C:\System Volume Information\_restore{8722AF54-43D8-4284-A187-D87CE121AC98}\RP72\A0007919.exe
C:\System Volume Information\_restore{8722AF54-43D8-4284-A187-D87CE121AC98}\RP74\A0008022.exe
C:\System Volume Information\_restore{8722AF54-43D8-4284-A187-D87CE121AC98}\RP74\A0008023.exe
C:\System Volume Information\_restore{8722AF54-43D8-4284-A187-D87CE121AC98}\RP75\A0008387.exe
C:\System Volume Information\_restore{8722AF54-43D8-4284-A187-D87CE121AC98}\RP75\A0008388.exe
C:\WINDOWS\A?pPatch\spool32.exe
C:\Documents and Settings\Rental1\My Documents\Shoot That!\~WRL0139.tmp
C:\Documents and Settings\Rental1\My Documents\Shoot That!\~WRL2008.tmp
C:\Documents and Settings\Rental1\My Documents\Shoot That!\~WRL4061.tmp

Finished

And Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 11:56:51 AM, on 31/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINDOWS\system32\v6.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Telstra\OnlineTextBuddy\OnlineTextBuddy.exe
C:\WINDOWS\APPATC~1\spool32.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\ntvdm.exe
C:\HJT\KITTEN.COM

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pc.support.global.toshiba.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://mws-stat-syd.cdn.telstra.com.au/uatb-proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.0.2:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A0352F96-E200-B7D5-0623-ED1BC5071491} - C:\WINDOWS\system32\vot.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1115B9BB-5E3B-41DB-A244-5C1F0DFF2136} - C:\WINDOWS\system32\ljjgeec.dll (file missing)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\qxtnsvtl.dll (file missing)
O2 - BHO: (no name) - {A0352F96-E200-B7D5-0623-ED1BC5071491} - C:\WINDOWS\system32\vot.dll
O2 - BHO: (no name) - {DCE9F17C-46BE-4B7F-BABA-02C7614D6582} - C:\WINDOWS\system32\ddayv.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [LaunchApp] launchapp
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
O4 - HKLM\..\Run: [pnwvawj.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Rental1\Local Settings\Application Data\pnwvawj.dll",olexgd
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OnlineTextBuddy] C:\Program Files\Telstra\OnlineTextBuddy\OnlineTextBuddy.exe /quiet
O4 - HKCU\..\Run: [Esrm] "C:\WINDOWS\APPATC~1\spool32.exe" -vt yazb
O4 - HKCU\..\Run: [Vdzncvkw] "C:\WINDOWS\system32\?dobe\m?hta.exe" 99001162
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2007\spy.htm
O8 - Extra context menu item: SnipeIt! eSnipe - http://www.esnipe.com/SnipeIt/SnipeItOpen3.asp
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2007\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2007\spy.htm
O16 - DPF: {CDBD9968-7BF1-11D4-9D36-0001029DEBEB} (Loader Class) - https://testdirector.telstra.com.au/tdbin/Spider.ocx
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.westpac.com.au/wtoa/wtOtherA...iomanagerwt.cab
O20 - Winlogon Notify: winjyg32 - winjyg32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe


cheers for your continued help here.

candyflip

#4 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:13 PM

Posted 30 January 2007 - 10:51 PM

Hi -

Here is where you can make a donation to bleepingcomputer.com via Paypal:
http://www.bleepingcomputer.com/about.php
- just click the "Paypal Donate" button on the left-hand side.

Uninstall the following programs if present
- Go to Start > Control Panel > Add/Remove Programs
- Select the following, one at a time, and click Remove for each one
Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
Cowabanga by OIN
or anything similar with Oin in it


If OIN is not listed, download and run this uninstaller
http://www.outerinfo.com/OiUninstaller.exe

Reboot when done! Really important!

Please set your system to show all files.
- Go to Start > open My Computer
- Select the Tools menu and click Folder Options.
- Select the View tab and, under Hidden files and folders, select Show hidden files and folders
- Uncheck Hide file extensions for known file types
- Uncheck Hide protected operating system files (Recommended)
- Click Apply, then OK

Reboot into SAFE MODE.
To get into the Windows XP Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times. Choose Safe Mode from the menu that will appear and press Enter.

Start HijackThis, click System Scan Only and place a checkmark next to the following items:
R3 - URLSearchHook: (no name) - {A0352F96-E200-B7D5-0623-ED1BC5071491} - C:\WINDOWS\system32\vot.dll
O2 - BHO: (no name) - {1115B9BB-5E3B-41DB-A244-5C1F0DFF2136} - C:\WINDOWS\system32\ljjgeec.dll (file missing)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\qxtnsvtl.dll (file missing)
O2 - BHO: (no name) - {A0352F96-E200-B7D5-0623-ED1BC5071491} - C:\WINDOWS\system32\vot.dll
O2 - BHO: (no name) - {DCE9F17C-46BE-4B7F-BABA-02C7614D6582} - C:\WINDOWS\system32\ddayv.dll (file missing)
O4 - HKLM\..\Run: [pnwvawj.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Rental1\Local Settings\Application Data\pnwvawj.dll",olexgd
O4 - HKCU\..\Run: [Esrm] "C:\WINDOWS\APPATC~1\spool32.exe" -vt yazb
O4 - HKCU\..\Run: [Vdzncvkw] "C:\WINDOWS\system32\?dobe\m?hta.exe" 99001162
O20 - Winlogon Notify: winjyg32 - winjyg32.dll (file missing)


Close ALL browsers and open windows/programs except HijackThis and click 'Fix Checked'.

Reboot your computer.

Navigate to and delete the following folders if present:
C:\WINDOWS\APPATC~1
C:\WINDOWS\system32\?dobe - this probably looks like adobe

Navigate to and delete the following files if present:
C:\Documents and Settings\Rental1\Local Settings\Application Data\pnwvawj.dll
olexgd - you will have to use the Search feature on your computer to find this file and then delete it

Reboot into Normal Mode.

Download and scan with CCleaner.
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free Basic or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
3. Then select the items you wish to clean up.
In the Windows Tab:
  • Clean all entries in the "Internet Explorer" section except Cookies.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.
In the Applications Tab:
  • Clean all except cookies in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.
3. Click the "Run Cleaner" button.
4. A pop-up box will appear advising this process will permanently delete files from your system.
5. Click "OK" and it will scan and clean your system.
6. Click "exit" when done.

Download Superantispyware
  • Load Superantispyware and click the check for updates button.
  • Once the update is finished click the scan your computer button.
  • Check Perform Complete Scan and then next.
  • Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
  • Make sure that they all have a check next to them and press next.
  • Click finish and you will be taken back to the main interface.
  • Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
  • Copy and paste the log onto the forum.
Post back with the Superantispyware log and a new HijackThis log.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#5 candyflip

candyflip
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 AM

Posted 31 January 2007 - 12:07 AM

OK - thanks for your help.

Latest logs as follows:

SUPERAntiSpyware Scan Log
Generated 01/31/2007 at 03:40 PM

Application Version : 3.5.1016

Core Rules Database Version : 3165
Trace Rules Database Version: 1176

Scan type : Complete Scan
Total Scan Time : 00:23:40

Memory items scanned : 339
Memory threats detected : 0
Registry items scanned : 5104
Registry threats detected : 2
File items scanned : 25172
File threats detected : 44

Adware.ClickSpring
HKLM\Software\ClickSpring
HKLM\Software\ClickSpring#UBWKR
C:\QOOBOX\PURITY\PROGRAM FILES\STEM~1\WINLOGON.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8722AF54-43D8-4284-A187-D87CE121AC98}\RP72\A0007918.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8722AF54-43D8-4284-A187-D87CE121AC98}\RP74\A0008022.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8722AF54-43D8-4284-A187-D87CE121AC98}\RP75\A0008387.EXE

Trojan.Downloader-DoneDU
C:\HJT\BACKUPS\BACKUP-20070130-122208-423.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8722AF54-43D8-4284-A187-D87CE121AC98}\RP75\A0008341.DLL

Adware.ClickSpring/Yazzle
C:\PROGRAM FILES\COMMON FILES\YAZZLE1162OINADMIN.EXE
C:\PROGRAM FILES\COMMON FILES\YAZZLE1162OINUNINSTALLER.EXE
C:\WINDOWS\PREFETCH\YAZZLE1122OINADMIN.EXE-0A0C4823.PF
C:\WINDOWS\PREFETCH\YAZZLE1122OINUNINSTALLER.EXE-1863686E.PF
C:\WINDOWS\PREFETCH\YAZZLE1162OINADMIN.EXE-04B49B8B.PF
C:\WINDOWS\PREFETCH\YAZZLEBUNDLE-1122.EXE-0E9F0099.PF

Trojan.Update-Mcboo
C:\RECYCLER\S-1-5-21-4206963036-3211783124-1412166978-500\DC1\UPDATE.EXE

Adware.Universa
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8722AF54-43D8-4284-A187-D87CE121AC98}\RP75\A0008304.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8722AF54-43D8-4284-A187-D87CE121AC98}\RP75\A0008315.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8722AF54-43D8-4284-A187-D87CE121AC98}\RP75\A0008316.EXE

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8722AF54-43D8-4284-A187-D87CE121AC98}\RP75\A0008305.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8722AF54-43D8-4284-A187-D87CE121AC98}\RP75\A0008308.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8722AF54-43D8-4284-A187-D87CE121AC98}\RP75\A0009111.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8722AF54-43D8-4284-A187-D87CE121AC98}\RP76\A0009119.EXE

Trojan.Freeprod
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8722AF54-43D8-4284-A187-D87CE121AC98}\RP75\A0008307.EXE

Trojan.Downloader-WBRock
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8722AF54-43D8-4284-A187-D87CE121AC98}\RP75\A0008326.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8722AF54-43D8-4284-A187-D87CE121AC98}\RP75\A0008329.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8722AF54-43D8-4284-A187-D87CE121AC98}\RP75\A0008330.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8722AF54-43D8-4284-A187-D87CE121AC98}\RP76\A0009163.DLL
C:\VUNDOFIX BACKUPS\EFCCBYV.DLL.BAD
C:\VUNDOFIX BACKUPS\LJJGEEC.DLL.BAD
C:\VUNDOFIX BACKUPS\MLJHHHI.DLL.BAD
C:\VUNDOFIX BACKUPS\NNNKJIF.DLL.BAD

Trojan.Downloader-Quake11
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8722AF54-43D8-4284-A187-D87CE121AC98}\RP75\A0008327.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8722AF54-43D8-4284-A187-D87CE121AC98}\RP76\A0009162.DLL
C:\VUNDOFIX BACKUPS\GOLNAETG.DLL.BAD
C:\VUNDOFIX BACKUPS\JKJSRNPY.DLL.BAD

Trojan.Downloader-Gen/LIB
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8722AF54-43D8-4284-A187-D87CE121AC98}\RP75\A0008331.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8722AF54-43D8-4284-A187-D87CE121AC98}\RP76\A0009164.DLL
C:\VUNDOFIX BACKUPS\QXTNSVTL.DLL.BAD
C:\VUNDOFIX BACKUPS\YOUCNLSJ.DLL.BAD

Worm.Sober Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8722AF54-43D8-4284-A187-D87CE121AC98}\RP76\A0009226.EXE

Trojan.Downloader-DRVSAM
C:\WINDOWS\SYSTEM32\DRVFUP.DLL
C:\WINDOWS\SYSTEM32\DRVJIK.DLL
C:\WINDOWS\SYSTEM32\DRVMEB.DLL
C:\WINDOWS\SYSTEM32\DRVTAJ.DLL

Trojan.Downloader-SpyTool
C:\WINDOWS\SYSTEM32\FAHKYOSV.DLL
C:\WINDOWS\SYSTEM32\XFRXILMR.DLL




Logfile of HijackThis v1.99.1
Scan saved at 4:00:40 PM, on 31/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINDOWS\system32\v6.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Telstra\OnlineTextBuddy\OnlineTextBuddy.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\ntvdm.exe
C:\HJT\KITTEN.COM

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pc.support.global.toshiba.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://mws-stat-syd.cdn.telstra.com.au/uatb-proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.0.2:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [LaunchApp] launchapp
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OnlineTextBuddy] C:\Program Files\Telstra\OnlineTextBuddy\OnlineTextBuddy.exe /quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2007\spy.htm
O8 - Extra context menu item: SnipeIt! eSnipe - http://www.esnipe.com/SnipeIt/SnipeItOpen3.asp
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2007\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2007\spy.htm
O16 - DPF: {CDBD9968-7BF1-11D4-9D36-0001029DEBEB} (Loader Class) - https://testdirector.telstra.com.au/tdbin/Spider.ocx
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.westpac.com.au/wtoa/wtOtherA...iomanagerwt.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

best

candyflip

#6 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:13 PM

Posted 31 January 2007 - 01:11 PM

Hi -

Please upload this file to Jotti's Online Virus Scan
C:\WINDOWS\system32\v6.exe
- Click the link above
- Click "Browse" at the top of the page
- Navigate to C:\WINDOWS\system32\ and click v6.exe
- Click "Open" and let the scan finish
- Copy/paste the results in your next reply.

Perform an onlinescan with Panda Online. Please use this scanner instead of any other scanner! You have to use Internet Explorer for this scan.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component, allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the "See Report" button, then "Save Report" and save it to a convenient location.

Post back with the results of the Jotti scan, the Panda scan results and a new HijackThis log. Also, let me know how your computer is running now.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#7 candyflip

candyflip
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 AM

Posted 31 January 2007 - 06:05 PM

The laptop (machine 1) seems to be running fine, although I have 2 machines, and so I can pretty much keep it (machine 1) offline since the infection, while answering these queries and attempting the fix with you on another (PC machine 2). While running the Panda scan the laptop did attempt to re-direct at one stage (as a Spware program was deteced), but otherwise it seems OK. I'm just not confident to re-connect to the internet for too long until you think we've fixed everything.....

Jotti Scan report:

File: v6.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 3abfef3a07531687dc4890a7a36dfd50
Packers detected: PE_PATCH.PECOMPACT, PECBUNDLE, PECOMPACT

Scanner results
Scan taken on 31 Jan 2007 22:09:33 (GMT)
AntiVir Found TR/Agent.8704.12
ArcaVir Found Trojan.Downloader.Tiny.Fk
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Generic.Malware.Sdld!.DBC6C29D
ClamAV Found nothing
Dr.Web Found DLOADER.Trojan (probable variant)
F-Prot Antivirus Found unknown virus (probable variant)
F-Secure Anti-Virus Found Trojan-Downloader.Win32.Tiny.fk
Fortinet Found W32/Tiny.FK!tr.dldr
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Tiny.fk
NOD32 Found nothing
Norman Virus Control Found nothing
VirusBuster Found nothing
VBA32 Found nothing


Panda Scan log:


Incident Status Location

Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\Rental1\Desktop\OiUninstaller.exe[UE.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Rental1\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Virus:trj/femad.a Disinfected C:\ntkernel.exe
Adware:Adware/PurityScan Not disinfected C:\QooBox\Purity\WINDOWS\system32\DOBE~1\m?hta.exe
Adware:Adware/ActiveSearch Not disinfected C:\RECYCLER\S-1-5-21-4206963036-3211783124-1412166978-500\Dc1\system.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Adware:Adware/Mytoolbar Not disinfected C:\SDFix\backups\backups.zip[backups/win41.tmp.exe]
Adware:Adware/Yazzle Not disinfected C:\SDFix\backups\backups.zip[backups/win48.tmp.exe]
Adware:Adware/PurityScan Not disinfected C:\SDFix\backups\backups.zip[backups/win48.tmp.exe][++\Yazzle1162OinAdmin.exe]
Virus:Trj/Downloader.MLZ Disinfected C:\SDFix\backups\backups.zip[backups/win4B.tmp.exe]
Virus:Trj/Clicker.XS Disinfected C:\SDFix\backups\backups.zip[backups/win51.tmp.exe]
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\VundoFix Backups\lxhnvpqm.exe.bad
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\VundoFix Backups\tnucokmo.exe.bad
Virus:Trj/Downloader.MLZ Disinfected C:\WINDOWS\system32\v6.exe



Logfile of HijackThis v1.99.1
Scan saved at 9:46:51 AM, on 1/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Telstra\OnlineTextBuddy\OnlineTextBuddy.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\ntvdm.exe
C:\HJT\KITTEN.COM

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pc.support.global.toshiba.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://mws-stat-syd.cdn.telstra.com.au/uatb-proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.0.2:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [LaunchApp] launchapp
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OnlineTextBuddy] C:\Program Files\Telstra\OnlineTextBuddy\OnlineTextBuddy.exe /quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2007\spy.htm
O8 - Extra context menu item: SnipeIt! eSnipe - http://www.esnipe.com/SnipeIt/SnipeItOpen3.asp
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2007\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2007\spy.htm
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CDBD9968-7BF1-11D4-9D36-0001029DEBEB} (Loader Class) - https://testdirector.telstra.com.au/tdbin/Spider.ocx
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.westpac.com.au/wtoa/wtOtherA...iomanagerwt.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

cheers & thanks again

candyflip

#8 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:13 PM

Posted 31 January 2007 - 07:00 PM

Hi -

One thing that I need to tell you is that you had a lot of backdoor malware on your system. I strongly recommend that you change all of your passwords from another computer you know is not infected.

Panda deleted the remainders. Your log looks clean.

You can delete the following:
C:\SDFix\backups <-- delete the contents of this folder
C:\VundoFix Backups <-- delete the contents of this folder
C:\QooBox\Purity\WINDOWS\system32\DOBE~1 <-- delete this folder

Please set your system to hide system files.
- Go to Start and open My Computer
- Select the Tools menu and click Folder Options.
- Select the View Tab and, under Hidden files and folders, check Do not show hidden files and folders
- Check Hide file extensions for known file types
- Check Hide protected operating system files (Recommended)
- Click Apply, then OK.

If you have not done so, please empty your Recycle Bin.

Create a new Restore Point:
- Go to Start -> All Programs -> Accessories -> System Tools -> System Restore.
- When the utility opens, select "Create a new restore point" and click Next
- Name the restore point - something like "After infection cleaned" or "After cleaning"
- Click Create.

Delete the old Restore Points:
- Go to Start -> All Programs -> Accessories -> System Tools -> Disk Cleanup. Click Ok.
- Click the "More Options" tab.
- Where it states "System Restore" - click Clean up.
- All of the old Restore Points will be deleted EXCEPT for the one you just created.

Reboot your computer.

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster. SpywareBlaster doesn't scan and clean for so-called spyware but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls and also prevents the installation of any of them via a webpage. Update it periodically.

* Avoid illegal sites because that's where most malware is present.
* Don't click on links inside pop-ups. If you should get them, use ALT + F4 to close them.
* Don't click on links in spam messages claiming to offer anti-spyware software because most of these so-called removers ARE spyware.
* Download free software only from sites you know and trust because a lot of free software can bundle other software, including spyware.

Let your anti-spyware scanner(s) scan frequently and don't forget to update before scanning.

I suggest you perform an online virus-scan once in a while (Housecall and/or Bitdefender) because what one virus-scanner can't find, another one maybe can.
Also, make sure that your virus-scanner, the one that is already installed on your system, is always up to date!

Make sure your Windows has the latest updates by going here.

More information on how to prevent malware can be found at So how did I get infected in the first place? (by Tony Klein) and Malware Prevention: Prevent Re-infection.

Happy surfing again! :thumbsup:
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#9 candyflip

candyflip
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 AM

Posted 31 January 2007 - 07:57 PM

Thanks waterfalls. So far so good since back online.

I didn't have any virus scanning or malware checkers installed at all, not even windows updates, on this rented laptop when I first got it. So now I've put on everything you've said and I'll try and keep it up-to-date.

I really appreciate your help and I'll be donating some money thru PayPal shortly. :thumbsup:

thanks again

candyflip

#10 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:13 PM

Posted 31 January 2007 - 08:10 PM

You're welcome. :flowers:

I forgot to mention that I didn't see an anti-virus program or a software firewall program installed on your system. You really should have one of each installed. Only install one anti-virus and one software firewall program.

Active Virus Shield is a good FREE Anti-Virus program. You don't need to install the toolbar that comes with this program.

Kerio 4.2.2-911 is a good FREE software Firewall program.
See, Understanding and Using Firewalls

Good luck! :thumbsup:

Edited by waterfalls, 31 January 2007 - 08:11 PM.

Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#11 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:13 PM

Posted 03 February 2007 - 05:04 PM

Since this issue appears resolved ... this topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a new topic.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users