Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Needed With Virus/trojan Problem


  • Please log in to reply
5 replies to this topic

#1 robb_g

robb_g

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 16 February 2007 - 06:56 AM

I recently downloaded and installed a bit torrent program then all the sudden I start getting endless pop-up ads for antivirus softwares and "virus detected" notifications. My computer is now running really slow especially when browsing on the internet. My cpu usage is maxed at 100%. I did some troubleshooting with process explorer and I think this might be related related to the "update.exe" process. Can anyone help me out? I would greatly appreciate it.

Here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:29:56 AM, on 2/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Um9iIEFndWlsYXI\command.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mr. Hyde\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {B521039C-992C-E28A-7B92-B49E8B3B54CA} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [startemdoit] C:\WINDOWS\eltonehour.exe
O4 - HKLM\..\Run: [1pop06apelt2] C:\WINDOWS\elitepop06.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\lwinqpem.exe ELT001
O4 - HKLM\..\Run: [ms05626047870] C:\WINDOWS\ms05626047870.exe
O4 - HKLM\..\Run: [mmcrat06] C:\WINDOWS\mmputt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [trprcsk.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\trprcsk.dll,vhsrotc
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [Security] C:\WINDOWS\WindowsSecurityUpdate.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\lwgtgucq.dll",setvm
O4 - HKLM\..\Run: [{1C887A54-0298-1033-0224-001116190001}] "C:\Program Files\Common Files\{1C887A54-0298-1033-0224-001116190001}\Update.exe" mc-110-12-0000272
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DF9FC57-BF2D-42F5-92C2-9620EDCA4560}: NameServer = 68.87.76.178,68.87.76.130
O17 - HKLM\System\CS2\Services\Tcpip\..\{2DF9FC57-BF2D-42F5-92C2-9620EDCA4560}: NameServer = 68.87.76.178,68.87.76.130
O17 - HKLM\System\CS3\Services\Tcpip\..\{2DF9FC57-BF2D-42F5-92C2-9620EDCA4560}: NameServer = 68.87.76.178,68.87.76.130
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Um9iIEFndWlsYXI\command.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

BC AdBot (Login to Remove)

 


#2 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:01:39 AM

Posted 16 February 2007 - 08:07 AM

Heya :thumbsup:

Quite a few infections you've got there, don'T worry we'll take care of them all :flowers:

I would like to see if any other startups are involved. To do this, I need to see another type of log please. Go here and download Silent Runners.vbs to a new folder on your Desktop (Clicking the the download link works if you use IE. If you use FireFox, rightclick on the link and choose "Save Link As") and run it. It generates a log too. It takes a minute or two and it will notify you with a popup when your log is ready (make sure you wait for the popups please) Please post the information back in this thread too (you may need to make a couple of posts). If your antivirus program queries the script, allow it to run. It's not malicious.

#3 robb_g

robb_g
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 16 February 2007 - 01:52 PM

Hey YounGun

Thanks for taking this problem on. Here's the log that you need.

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"{1C887A54-0298-1033-0224-001116190001}" = ""C:\Program Files\Common Files\{1C887A54-0298-1033-0224-001116190001}\Update.exe" te-110-12-0000073" [null data]

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"BitTorrent" = ""C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"none" = "C:\Program Files\Video ActiveX Object\pmsngr.exe" [file not found]
"svchost.exe" = "C:\WINDOWS\svchost.exe" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"startemdoit" = "C:\WINDOWS\eltonehour.exe" [file not found]
"1pop06apelt2" = "C:\WINDOWS\elitepop06.exe" [file not found]
"ExploreUpdSched" = "C:\WINDOWS\System32\lwinqpem.exe ELT001" [file not found]
"ms05626047870" = "C:\WINDOWS\ms05626047870.exe" [file not found]
"mmcrat06" = "C:\WINDOWS\mmputt.exe" [file not found]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"NAV CfgWiz" = "C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"" ["Symantec Corporation"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"trprcsk.dll" = "C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\trprcsk.dll,vhsrotc" [MS]
"outlook" = "C:\Program Files\outlook\outlook.exe /auto" [file not found]
"Security" = "C:\WINDOWS\WindowsSecurityUpdate.exe" [file not found]
"DllRunning" = "rundll32.exe "C:\WINDOWS\system32\lwgtgucq.dll",setvm" [MS]
"{1C887A54-0298-1033-0224-001116190001}" = ""C:\Program Files\Common Files\{1C887A54-0298-1033-0224-001116190001}\Update.exe" mc-110-12-0000272" [null data]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{0AFEA888-B97B-4EDE-AC47-1FEE31D5CEE5}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\efcayab.dll" [null data]
{449A9E19-0014-42F6-B015-2E4030C100CA}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\xxwuv.dll" [null data]
{46A4E9D9-B30E-452A-8157-DBBEC8573B03}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\VSAdd-in\VSAdd-in.dll" [null data]
{5A061098-7F46-5FE3-983C-028F0FCE9DAD}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\fzmbwdk.dll" [null data]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]
{871A54C1-1EB3-48bd-A879-5DBA4EF16BE6}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\souanikp.dll" [null data]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {HKLM...CLSID} = "CNavExtBho Class"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
{E03C740E-BB24-4d3c-B92A-6F84DE1DD99C}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\cdpmkoic.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{0AFEA888-B97B-4EDE-AC47-1FEE31D5CEE5}" = "*b" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\efcayab.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> efcayab\DLLName = "efcayab.dll" [null data]
<<!>> winmzj32\DLLName = "winmzj32.dll" [null data]
<<!>> xxwuv\DLLName = "C:\WINDOWS\system32\xxwuv.dll" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\My Documents\My Pictures\Wallpapers\FearFactory-transgression-cover_lo(1).bmp"


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{74DD705D-6834-439C-A735-A6DBE2677452}"
-> {HKLM...CLSID} = "&VSAdd-in"
\InProcServer32\(Default) = "C:\Program Files\VSAdd-in\VSAdd-in.dll" [null data]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
"{74DD705D-6834-439C-A735-A6DBE2677452}" = (no title provided)
-> {HKLM...CLSID} = "&VSAdd-in"
\InProcServer32\(Default) = "C:\Program Files\VSAdd-in\VSAdd-in.dll" [null data]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_09"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_09"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll" ["Sun Microsystems, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Command Service, cmdService, "C:\WINDOWS\Um9iIEFndWlsYXI\command.exe" [null data]
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
SAVScan, SAVScan, ""C:\Program Files\Norton AntiVirus\SAVScan.exe"" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 271 seconds, including 18 seconds for message boxes)

#4 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:01:39 AM

Posted 16 February 2007 - 02:19 PM

Please download SmitfraudFix (by S!Ri) to your Desktop. Don't run it just yet, we'll use it in later.

Please download
VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files,
    click YES
  • Once you click yes, your desktop will go blank as it starts removing
    Vundo.
  • When completed, it will prompt that it will shutdown your computer,
    click OK.
  • Turn your computer back on.
Download http://www.downloads.subratam.org/LQfix.exe]LQfix.exe[/url] and place it on your desktop.
Doubleclick LQfix.exe and click install.
This will create a new folder called LQfix on your desktop.
Open the folder and doubleclick ClickThis.bat
Follow the prompts on the screen.
Your system will reboot afterwards.
Please be patient after reboot, because there is a script running in the background.

Download : Download AVG Anti-Spyware 7.5 and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Select “Change state" to inactivate 'Resident Shield' and 'Automatic Updates'
    Right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
    Go to Start > Run and type: services.msc
  • Press "OK".
  • In Services, click the "Extended tab" and scroll down the list to find AVG anti-spyware 7.5 guard.
  • When you find the guard service, double-click on it.
  • In the Properties Window > General Tab that opens, click the "Stop" button.
  • From the drop-down menu next to "Startup Type", click on "Manual".
  • Now click "Apply", then "OK" and close the Services window.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
      If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet. We will shortly.

Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "BFU"

Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not run the Uninstaller and the Remover yet.

Please reboot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.
  • While in Safe Mode, Scan with AVG Anti-Spyware as follows:
    1. Launch AVG Anti-Spyware, click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?" check all (default).
  • Under "Possibly unwanted software" check all (default).
  • Under "What to Scan?" make sure "Scan every file" is selected (default).
  • Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.
4. When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.

IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?

5. Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
6. Exit AVG Anti-Spyware
Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu

Press execute and let it do its job.

Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.


Reboot in normal mode

Double-click smitfraudfix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!

Please post : the c:\vundofix.txt log, rapport.txt, the avg antispyware log and a new hijackthis log.

#5 robb_g

robb_g
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 18 February 2007 - 08:14 PM

Hey Youngun

I did everything you said and all went smooth. Here are the reports you asked for.

VundoFix V6.2.6

Checking Java version...

Java version is 1.5.0.8

Scan started at 8:00:56 PM 11/4/2006

Listing files found while scanning....

C:\WINDOWS\system32\fcyyy.dll
C:\WINDOWS\system32\yyycf.ini
C:\WINDOWS\system32\yyycf.bak1
C:\WINDOWS\system32\yyycf.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\fcyyy.dll
C:\WINDOWS\system32\fcyyy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yyycf.ini
C:\WINDOWS\system32\yyycf.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\yyycf.bak1
C:\WINDOWS\system32\yyycf.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\yyycf.bak2
C:\WINDOWS\system32\yyycf.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.6

Checking Java version...

Java version is 1.5.0.8

Java version is 1.5.0.9

Scan started at 5:00:42 AM 2/18/2007

Listing files found while scanning....

C:\Documents and settings\Mr. Hyde\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
C:\Documents and settings\Mr. Hyde\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
C:\Program Files\VSAdd-in\VSAdd-in.dll
C:\WINDOWS\system32\bdensusy.dll
C:\WINDOWS\system32\efcayab.dll
C:\WINDOWS\system32\fxtyysga.exe
C:\WINDOWS\system32\hkkkqfgq.exe
C:\WINDOWS\system32\lwgtgucq.dll
C:\WINDOWS\system32\qcugtgwl.ini
C:\WINDOWS\System32\souanikp.dll
C:\WINDOWS\system32\trprcsk.dll
C:\WINDOWS\system32\uqvyegwg.dll
C:\WINDOWS\system32\winmzj32.dll
C:\WINDOWS\system32\xxwuv.dll

Beginning removal...

Attempting to delete C:\Documents and settings\Mr. Hyde\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
C:\Documents and settings\Mr. Hyde\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt Has been deleted!

Attempting to delete C:\Documents and settings\Mr. Hyde\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
C:\Documents and settings\Mr. Hyde\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt Has been deleted!

Attempting to delete C:\Program Files\VSAdd-in\VSAdd-in.dll
C:\Program Files\VSAdd-in\VSAdd-in.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\bdensusy.dll
C:\WINDOWS\system32\bdensusy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\efcayab.dll
C:\WINDOWS\system32\efcayab.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fxtyysga.exe
C:\WINDOWS\system32\fxtyysga.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\hkkkqfgq.exe
C:\WINDOWS\system32\hkkkqfgq.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\lwgtgucq.dll
C:\WINDOWS\system32\lwgtgucq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qcugtgwl.ini
C:\WINDOWS\system32\qcugtgwl.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\souanikp.dll
C:\WINDOWS\System32\souanikp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\trprcsk.dll
C:\WINDOWS\system32\trprcsk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uqvyegwg.dll
C:\WINDOWS\system32\uqvyegwg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\winmzj32.dll
C:\WINDOWS\system32\winmzj32.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxwuv.dll
C:\WINDOWS\system32\xxwuv.dll Has been deleted!

Performing Repairs to the registry.
Done!
----------------

SmitFraudFix v2.142

Scan done at 16:39:46.05, Sun 02/18/2007
Run from C:\Documents and Settings\Mr. Hyde\Desktop\New Folder (5)\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Mr. Hyde


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Mr. Hyde\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\MR7DD5~1.HYD\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:52:38 PM 2/18/2007

+ Scan result:



C:\WINDOWS\system32\pushow75.dll -> Adware.AdvertMen : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\Bug Doctor Help.chm -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\BugDoctor.exe -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\BugDoctorLiveUpdate.exe -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\FixedOnMondayFebruary052007130231.xml -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\Get Bonuses.url -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin.ini -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\LiveUpdate_disable.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\LiveUpdate_normal.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\LiveUpdate_pressed.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\LiveUpdate_rollover.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\SubMainDisable.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\SubMainNormal.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\SubMainPressed.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\SubMainRollOver.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\bug.swf -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\fix_complete-disable.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\fix_complete-normal.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\fix_complete-pressed.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\fix_complete-roll_over.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\fixing_error-disable.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\fixing_error-normal.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\fixing_error-pressed.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\fixing_error-rollover.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\main_disable.jpg -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\main_enable.jpg -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\main_pressed.jpg -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\main_roll_over.jpg -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\mask.bmp -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\mask1.bmp -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\scan.swf -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\scan_complete-disable.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\scan_complete-normal.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\scan_complete-pressed.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\scan_complete-roll_over.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\scancomplete.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\scanning_error-disable.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\scanning_error-normal.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\scanning_error-pressed.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\scanning_error-rollover.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\schedule_disable.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\schedule_normal.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\schedule_pressed.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\schedule_rollover.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\skin.ini -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\support_disable.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\support_normal.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\support_pressed.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\support_rollover.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\unlock_key-disable.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\unlock_key-normal.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\unlock_key-pressed.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\unlock_key-roll_over.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\unins000.dat -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\unins000.exe -> Adware.BugDoctor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bug Doctor_is1 -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\WINDOWS\Um9iIEFndWlsYXI\command.exe -> Adware.CommAd : Cleaned with backup (quarantined).
HKU\S-1-5-21-1417001333-1078145449-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{052B12F7-86FA-4921-8482-26C42316B522} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1417001333-1078145449-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1417001333-1078145449-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{39F25B12-74FF-4079-A51F-1D70F5B08B84} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1417001333-1078145449-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1417001333-1078145449-1957994488-1004\Software\IST -> Adware.ISTBar : Cleaned with backup (quarantined).
C:\WINDOWS\system32\WinATS.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{066E107F-E7EC-48CF-B573-2229C1022784}\RP142\A0014464.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{066E107F-E7EC-48CF-B573-2229C1022784}\RP142\A0014466.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{066E107F-E7EC-48CF-B573-2229C1022784}\RP142\A0014569.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{1C887A54-0298-1033-0224-001116190001}\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{1C887A54-0298-1033-0224-001116190001}\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{3C887A54-0298-1033-0224-001116190001}\888Bar.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{066E107F-E7EC-48CF-B573-2229C1022784}\RP142\A0014465.exe -> Adware.ValueAd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mljghhf.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{066E107F-E7EC-48CF-B573-2229C1022784}\RP142\A0014567.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{066E107F-E7EC-48CF-B573-2229C1022784}\RP142\A0014589.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\webHancer -> Adware.WebHancer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\webHancer\CC -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\Program Files\HTTP Brute Forcer\excite.def -> Backdoor.DSSdoor.b : Cleaned with backup (quarantined).
C:\WINDOWS\Setup.exe -> Backdoor.IRCBot.qc : Cleaned with backup (quarantined).
C:\z.rar/Setup.exe -> Backdoor.IRCBot.qc : Cleaned with backup (quarantined).
C:\WINDOWS\system32\setup_module.exe -> Backdoor.Skrat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dr.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{066E107F-E7EC-48CF-B573-2229C1022784}\RP145\A0014826.dll -> Downloader.Agent.bac : Cleaned with backup (quarantined).
C:\VundoFix Backups\souanikp.dll.bad -> Downloader.Agent.bac : Cleaned with backup (quarantined).
C:\WINDOWS\Help\baskey.dll -> Downloader.Agent.bai : Cleaned with backup (quarantined).
C:\WINDOWS\msagent\pskb.dll -> Downloader.Agent.bai : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{066E107F-E7EC-48CF-B573-2229C1022784}\RP142\A0014441.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\winC24B.tmp.exe -> Downloader.Agent.bdr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{066E107F-E7EC-48CF-B573-2229C1022784}\RP142\A0014596.exe -> Downloader.INService : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{066E107F-E7EC-48CF-B573-2229C1022784}\RP142\A0014559.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\winCC25.tmp.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{066E107F-E7EC-48CF-B573-2229C1022784}\RP142\A0014560.exe -> Downloader.PurityScan.dt : Cleaned with backup (quarantined).
C:\WINDOWS\system32\setup9X.exe -> Downloader.VB.afp : Cleaned with backup (quarantined).
C:\WINDOWS\system32\install.exe -> Downloader.VB.aqb : Cleaned with backup (quarantined).
C:\Program Files\Program Install Files\Cinematograph_by_ICI.zip/startxxx.exe -> Downloader.Zlob.anj : Cleaned with backup (quarantined).
C:\Documents and Settings\Mr. Hyde\My Documents\Utilities\Norton Antivirus 2004 Activation Key\Norton_AntiVirus_2002-2004_Subscription_Update.zip/start.exe -> Downloader.Zlob.atn : Cleaned with backup (quarantined).
C:\Program Files\Program Install Files\Blaze.Media.Pro.v7.0-TBE.rar/run.exe -> Downloader.Zlob.avs : Cleaned with backup (quarantined).
C:\Program Files\Program Install Files\Cinematograph_v2.1.3.3.zip/start.exe -> Downloader.Zlob.bak : Cleaned with backup (quarantined).
C:\Documents and Settings\Mr. Hyde\My Documents\Utilities\Motorola_QuicConfig_Bitsurfr_1.0_Serial.zip/start.exe -> Downloader.Zlob.bbc : Cleaned with backup (quarantined).
C:\Documents and Settings\Mr. Hyde\My Documents\Utilities\Motorola_moible_PhoneTools_v3.19e1_Retail_by_ViRiLiTY.zip/run.exe -> Downloader.Zlob.bbc : Cleaned with backup (quarantined).
C:\Program Files\Program Install Files\iepv.exe -> Dropper.Agent.lu : Cleaned with backup (quarantined).
C:\Program Files\Program Install Files\iepv.zip/iepv.exe -> Dropper.Agent.lu : Cleaned with backup (quarantined).
C:\Program Files\Program Install Files\satan's-trick.zip/satan's-trick.scr -> Dropper.VB.cm : Cleaned with backup (quarantined).
C:\Program Files\Common Files\svchost.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{066E107F-E7EC-48CF-B573-2229C1022784}\RP142\A0014454.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\winC249.tmp.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{066E107F-E7EC-48CF-B573-2229C1022784}\RP142\A0014595.exe -> Logger.Banker.zn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{066E107F-E7EC-48CF-B573-2229C1022784}\RP142\A0014452.dll -> Trojan.Agent.acl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{066E107F-E7EC-48CF-B573-2229C1022784}\RP145\A0014820.dll -> Trojan.Agent.acl : Cleaned with backup (quarantined).
C:\VundoFix Backups\VSAdd-in.dll.bad -> Trojan.Agent.acl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{066E107F-E7EC-48CF-B573-2229C1022784}\RP145\A0014829.dll -> Trojan.Agent.vg : Cleaned with backup (quarantined).
C:\VundoFix Backups\winmzj32.dll.bad -> Trojan.Agent.vg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{066E107F-E7EC-48CF-B573-2229C1022784}\RP145\A0014828.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\VundoFix Backups\uqvyegwg.dll.bad -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win160B.tmp.exe -> Trojan.Dialer.pz : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win1683.tmp.exe -> Trojan.Dialer.pz : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win1688.tmp.exe -> Trojan.Dialer.pz : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win17D7.tmp.exe -> Trojan.Dialer.pz : Cleaned with backup (quarantined).
C:\Program Files\QuickTime\QTSystem\QuickTimeWebHelper.Resources\QuickTimeWebHelper.qtx -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\Documents and Settings\Mr. Hyde\Local Settings\Temporary Internet Files\Content.IE5\YL4HGBAZ\xi5[1].exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{066E107F-E7EC-48CF-B573-2229C1022784}\RP142\A0014470.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\Um9iIEFndWlsYXI\oA62KHIBxq5PsrK.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wnsintsv.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\uninstall_nmon.vbs -> Trojan.Small : Cleaned with backup (quarantined).


::Report end

---------------


Logfile of HijackThis v1.99.1
Scan saved at 5:11:40 PM, on 2/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mr. Hyde\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {B521039C-992C-E28A-7B92-B49E8B3B54CA} - (no file)
O2 - BHO: (no name) - {0AFEA888-B97B-4EDE-AC47-1FEE31D5CEE5} - C:\WINDOWS\system32\efcayab.dll (file missing)
O2 - BHO: (no name) - {13CA794E-A009-43A0-A101-8771D5317FA4} - (no file)
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O2 - BHO: (no name) - {5A061098-7F46-5FE3-983C-028F0FCE9DAD} - C:\WINDOWS\system32\fzmbwdk.dll
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\bdensusy.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {81967C99-EF7C-98DD-7872-CA896B0369C8} - (no file)
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\System32\souanikp.dll (file missing)
O2 - BHO: (no name) - {90559577-1D70-4E2F-9084-4F15DC3AFC91} - C:\WINDOWS\system32\xxwuv.dll (file missing)
O2 - BHO: (no name) - {B521039C-992C-E28A-7B92-B49E8B3B54CA} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\system32\cdpmkoic.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [startemdoit] C:\WINDOWS\eltonehour.exe
O4 - HKLM\..\Run: [ms05626047870] C:\WINDOWS\ms05626047870.exe
O4 - HKLM\..\Run: [mmcrat06] C:\WINDOWS\mmputt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [trprcsk.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\trprcsk.dll,vhsrotc
O4 - HKLM\..\Run: [Security] C:\WINDOWS\WindowsSecurityUpdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DF9FC57-BF2D-42F5-92C2-9620EDCA4560}: NameServer = 68.87.76.178,68.87.76.130
O17 - HKLM\System\CS2\Services\Tcpip\..\{2DF9FC57-BF2D-42F5-92C2-9620EDCA4560}: NameServer = 68.87.76.178,68.87.76.130
O17 - HKLM\System\CS3\Services\Tcpip\..\{2DF9FC57-BF2D-42F5-92C2-9620EDCA4560}: NameServer = 68.87.76.178,68.87.76.130
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#6 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:01:39 AM

Posted 19 February 2007 - 04:24 AM

Please download and run http://www.thespykiller.co.uk/files/HJTsetup.exe

It will install hijackthis in C:\Program Files\Hijackthis
After installation, go into that folder and run hijackthis, do a new scan, save the log, and then post the new log here along with a new silentrunners log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users