Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud And Other Spyware/performance Problems, Help Please


  • This topic is locked This topic is locked
21 replies to this topic

#1 coop1333

coop1333

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 26 February 2007 - 03:35 PM

Was able to remove many problems through adaware/spybot. Some still exist though, and performance still seems to make me think there are existing problems, any help is much appreciated!

Here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:29:03 PM, on 2/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis2\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mail-www.oit.umass.edu/horde/imp/ns...hp?reason=login
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136602146\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe
O4 - HKLM\..\Run: [lnwin.exe] C:\WINDOWS\system32\lnwin.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: World Poker Exchange - {76028735-BBF1-4044-8DE2-5B90F0C7A77C} - C:\Program Files\WorldPokerExchange\GameClient.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SmartWhois - {FD9DE2B4-C926-4460-81C4-FC58C6F1062E} - C:\PROGRA~1\SMARTW~1\swmsiehlp.exe
O9 - Extra button: (no name) - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - C:\PROGRA~1\SMARTW~1\swmsiehlp.exe
O9 - Extra 'Tools' menuitem: SmartWhois - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - C:\PROGRA~1\SMARTW~1\swmsiehlp.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iWonPMSetup_12_1,0,2,5.exe
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v46/wof/wof.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Client IP-IPX - Unknown owner - ".exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

BC AdBot (Login to Remove)

 


m

#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 26 February 2007 - 03:40 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Now, please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.

Open the extracted SDFix folder and double click runThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any key and it will restart the PC.
When the PC restarts the fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Make a list of all the programs installed on your computer:
Open HijackThis
Click the Config... button, then go to the Misc Tools section.
Press Open Uninstall Manager. You'll see a list of programs.
Select Save List... - save it to your Desktop.
The file "uninstall_list.txt" will be created.
Copy and paste the contents of this file to your next reply.

Post report.txt in your next reply, along with a new HijackThis log and the uninstall list. Also, what makes you think you have Smitfraud?
Thanks,
Charles

Edited by rookie147, 26 February 2007 - 03:44 PM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 coop1333

coop1333
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 26 February 2007 - 04:49 PM

Hey thanks for such a fast response, I've done everything you've asked and below are the logs you wanted to see. When I originally ran my updated spybot I found many problems, one of which was smitfraud, there were multiple entries. It was only able to delete most of the entries leaving behind 1 because it was "still in system memory, but could be removed upon start up next time" It still couldn't rid it on the second try either though. The file it found was windows/system32/rpcc.dll

Thanks for any help.


SDFix: Version 1.68

Run by Administrator - Mon 02/26/2007 @ 16:31:18.53

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Client IP-IPX

Path:
"" -e te-110-12-0000271

Client IP-IPX Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File

Killing PID 152 'smss.exe'
Killing PID 228 'winlogon.exe'

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\Documents and Settings\Administrator\Local Settings\Temp\2.dllb - Deleted
C:\Documents and Settings\Administrator\Local Settings\Temp\6.dllb - Deleted
C:\Documents and Settings\Administrator\Local Settings\Temp\7.dllb - Deleted
C:\WINDOWS\system32\ma.exe.exe - Deleted
C:\WINDOWS\system32\pp.exe.exe - Deleted
C:\WINDOWS\system32\zu.exe.exe - Deleted
C:\WINDOWS\system32\kernels88.exe - Deleted
C:\WINDOWS\system32\rpcc.dll - Deleted
C:\WINDOWS\system32\svchosts.exe - Deleted
C:\WINDOWS\system32\vxga3me2.exe - Deleted
C:\WINDOWS\system32\vxga5me3.exe - Deleted
C:\WINDOWS\system32\vxga8me6.exe - Deleted
C:\WINDOWS\system32\vxg4am1et2.exe - Deleted
C:\WINDOWS\system32\vxg6ame4.exe - Deleted
C:\WINDOWS\system32\zlbw.dll - Deleted



ADS Check:

C:\WINDOWS\system32
:{726B6F7C-E889-4EFE-8CA3-AEF4943DBD38} 12
Total size: 12 bytes.


Removing ADS...

system32: deleted 12 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\i2hub\\i2hub.exe"="C:\\Program Files\\i2hub\\i2hub.exe:*:Enabled:i2hub"
"C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\javaw.exe"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\javaw.exe:*:Disabled:javaw"
"C:\\NeverwinterNights\\NWN\\nwmain.exe"="C:\\NeverwinterNights\\NWN\\nwmain.exe:*:Enabled:Neverwinter Nights"
"C:\\Program Files\\PartyPoker\\PartyPoker.exe"="C:\\Program Files\\PartyPoker\\PartyPoker.exe:*:Enabled:PartyPoker"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares"
"C:\\Program Files\\PopCap Games\\Typer Shark Deluxe\\WinTS.exe"="C:\\Program Files\\PopCap Games\\Typer Shark Deluxe\\WinTS.exe:*:Enabled:Typer Shark! Deluxe"
"C:\\Program Files\\GameHouse\\TextTwist\\TextTwist.exe"="C:\\Program Files\\GameHouse\\TextTwist\\TextTwist.exe:*:Enabled:Super TextTwist"
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\WinMX\\WinMX.exe"="C:\\Program Files\\WinMX\\WinMX.exe:*:Enabled:WinMX Application"
"C:\\Program Files\\DC++\\DCPlusPlus.exe"="C:\\Program Files\\DC++\\DCPlusPlus.exe:*:Enabled:DC++"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\i2hub\\My i2hub Downloads\\doom 1, 2, tnt, final & ultimate\\Doom95.exe"="C:\\Program Files\\i2hub\\My i2hub Downloads\\doom 1, 2, tnt, final & ultimate\\Doom95.exe:*:Enabled:doom95"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1136602146\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1136602146\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1136602146\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1136602146\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\SmartWhois\\sw.exe"="C:\\Program Files\\SmartWhois\\sw.exe:*:Enabled:SmartWhois"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Ruckus Player\\Ruckus.exe"="C:\\Program Files\\Ruckus Player\\Ruckus.exe:*:Enabled:Ruckus"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe:*:Disabled:Framework Service"
"C:\\WINDOWS\\system32\\sm.exe"="C:\\WINDOWS\\system32\\sm.exe:*:Enabled:enable"
"C:\\WINDOWS\\system32\\dd.exe"="C:\\WINDOWS\\system32\\dd.exe:*:Enabled:enable"
"C:\\WINDOWS\\system32\\lnwin.exe"="C:\\WINDOWS\\system32\\lnwin.exe:*:Enabled:enable"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"


Remaining Files:
---------------
C:\WINDOWS\system32\rsvp32_2.dll Found - LSP!

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\Documents and Settings\Administrator\NetHood\training on www.soccercenters.com\Desktop.ini
C:\Program Files\Outlook Express\msimn.exe
C:\ajspu.sys
C:\WINDOWS\ujspa.sys
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0001.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0002.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0004.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0005.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0006.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0007.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0343.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0624.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1459.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1512.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1612.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1715.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2138.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2841.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2918.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3118.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3191.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3559.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3619.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3708.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3902.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3994.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL4050.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL4097.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\qpgishs23dl5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~WRL3470.tmp
C:\Documents and Settings\Administrator\My Documents\~WRL0619.tmp
C:\Documents and Settings\Administrator\My Documents\~WRL2424.tmp
C:\Documents and Settings\Administrator\My Documents\~WRL2461.tmp
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp
C:\Program Files\InterActual\InterActual Player\iti3C.tmp

Add/Remove Programs List:

Adobe Shockwave Player
AOL Instant Messenger
AOL Uninstaller (Choose which Products to Remove)
AVI Codec Pack Lite
BCM V.92 56K Modem
BitTorrent 5.0.1
Dell Wireless WLAN Utility
HijackThis 1.99.1
iTunes
iPod for Windows 2005-03-23
Broadcom 440x 10/100 Integrated Controller
QuickTime
iPod for Windows 2005-09-23
InterActual Player
iWon Prize Machine
LG USB Drivers
LimeWire 4.12.8
Mozilla Firefox (2.0)
Microsoft Speech Recognition Engine 4.0 (English)
Microsoft Text-to-Speech Engine 4.0 (English)
Musicnotes Player V1.22.3
Ahead Nero Burning ROM
RealPlayer
Ruckus Player
Security Toolbar
Adobe Flash Player 9 ActiveX
SmartWhois
Spybot - Search & Destroy 1.4
Karen's Alarm Clock
Windows XP Service Pack 2
WinRAR archiver
Microsoft User-Mode Driver Framework Feature Pack 1.0 (Beta2)
XviD 1.1 final uninstall
Microsoft Office 2000 Premium
iTunes
Street Atlas USA 2004 Data
J2SE Runtime Environment 5.0 Update 7
V CAST Music
iPod for Windows 2005-03-23
Broadcom 440x 10/100 Integrated Controller
Bonjour Core for Windows
McAfee VirusScan Enterprise
PowerDVD
Java 2 Runtime Environment, SE v1.4.2_05
Java 2 Runtime Environment, SE v1.4.2_06
SSH Secure Shell
Ad-Aware SE Personal
SigmaTel AC97 Audio Drivers
Intel® Extreme Graphics 2 Driver
QuickTime
Adobe Reader 6.0.1
iPod for Windows 2005-09-23
Dell ResourceCD
Street Atlas USA 2004
BitPim 0.9.09

Finished



Uninstall list:

Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 6.0.1
Adobe Shockwave Player
Ahead Nero Burning ROM
AOL Instant Messenger
AOL Uninstaller (Choose which Products to Remove)
AVI Codec Pack Lite
BCM V.92 56K Modem
BitPim 0.9.09
BitTorrent 5.0.1
Bonjour Core for Windows
Broadcom 440x 10/100 Integrated Controller
Dell ResourceCD
Dell Wireless WLAN Utility
HijackThis 1.99.1
Intel® Extreme Graphics 2 Driver
InterActual Player
iPod for Windows 2005-03-23
iPod for Windows 2005-09-23
iTunes
iWon Prize Machine
J2SE Runtime Environment 5.0 Update 7
Java 2 Runtime Environment, SE v1.4.2_05
Java 2 Runtime Environment, SE v1.4.2_06
Karen's Alarm Clock
LG USB Drivers
LimeWire 4.12.8
McAfee VirusScan Enterprise
Microsoft Office 2000 Premium
Microsoft Speech Recognition Engine 4.0 (English)
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (Beta2)
Mozilla Firefox (2.0)
MSXML 4.0 SP2 (KB927978)
Musicnotes Player V1.22.3
PowerDVD
QuickTime
RealPlayer
Ruckus Player
Security Toolbar
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
SigmaTel AC97 Audio Drivers
SmartWhois
Spybot - Search & Destroy 1.4
SSH Secure Shell
Street Atlas USA 2004
Street Atlas USA 2004 Data
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB931836)
V CAST Music
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
XviD 1.1 final uninstall


hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 4:41:09 PM, on 2/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mail-www.oit.umass.edu/horde/imp/ns...hp?reason=login
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136602146\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: World Poker Exchange - {76028735-BBF1-4044-8DE2-5B90F0C7A77C} - C:\Program Files\WorldPokerExchange\GameClient.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SmartWhois - {FD9DE2B4-C926-4460-81C4-FC58C6F1062E} - C:\PROGRA~1\SMARTW~1\swmsiehlp.exe
O9 - Extra button: (no name) - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - C:\PROGRA~1\SMARTW~1\swmsiehlp.exe
O9 - Extra 'Tools' menuitem: SmartWhois - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - C:\PROGRA~1\SMARTW~1\swmsiehlp.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iWonPMSetup_12_1,0,2,5.exe
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v46/wof/wof.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 27 February 2007 - 12:25 PM

Hey there,
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

You're using an outdated version of Java (latest one is Java Runtime Environment (JRE) 6). Please update and remove the older versions. Do the following:
Go to Start | Control Panel | Add/Remove Programs
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
Select it and click Remove.
Then download and install the newest version from here:
Java Runtime Environment (JRE) 6

You are using peer-to-peer programs.
These are what we call an optional removal. However, anytime you are running any type of peer-to-peer application, you are more prone to infection by malware, and this is probably how you became infected in the first place. The choice to remove them is entirely up to you, but I would strongly recommend that you do.
If you do not want to, please at least refrain from using any peer-to-peer programs for the remainder of my fix.
For more information about infections as a result of p2p programs, take a look here: http://p2p.malwareremoval.com/

I have noticed from your log that you have various online poker programs installed on your computer. I understand that you may use these games on a regular basis but I think it's important to note that often these kind of programs are installed with other unwanted software, namely spyware or adware. If you did not install these programs yourself, or you do not use them any more, I would definitely recommend that you uninstall them from your computer, even if it is simply a precautionary measure. The amount of different poker software which arises on the internet means it is impossible to keep track of which ones are infected and which ones are not. If you do use the software, and wish to continue doing so, please ignore this.
If you do decide to go ahead and remove the poker software, you should be able uninstall them via Add/Remove Programs which can be found in the Control Panel. Let me know if you have any problems whilst doing so.

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O9 - Extra button: World Poker Exchange - {76028735-BBF1-4044-8DE2-5B90F0C7A77C} - C:\Program Files\WorldPokerExchange\GameClient.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)

O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iWonPMSetup_12_1,0,2,5.exe
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v46/wof/wof.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll


Note: then entries in blue are related to the poker programs you have installed. If you chose to keep them, don't fix these entries.

Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Next, please find and delete the following files (if present):

C:\WINDOWS\system32\dd.exe
C:\ajspu.sys
C:\WINDOWS\ujspa.sys
C:\WINDOWS\system32\rsvp32_2.dll
C:\WINDOWS\system32\sm.exe
C:\WINDOWS\system32\lnwin.exe
C:\WINDOWS\system32\a3dxq.dll

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

Backup the Registry:

Navigate to Start | Run and paste the following:

regedit /e c:\registrybackup.reg

Now click OK
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

Open Notepad and copy and paste the following quotebox into a new text document. (Don't forget to copy and paste REGEDIT4!)

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sm.exe"=-
"C:\\WINDOWS\\system32\\dd.exe"=-
"C:\\WINDOWS\\system32\\lnwin.exe"=-

Save this as fix.reg Choose to save as *all files and place it on your Desktop.
It should look like this: Posted Image
Double-click on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.

Reboot into Normal Mode again.

Click here to download FindAWF.exe and save it to your desktop.
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
Copy and paste the contents of the AWF.txt file in your next reply.

Please include AWF.txt and a new HijackThis log in your reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 coop1333

coop1333
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 27 February 2007 - 02:06 PM

Alright, I've done all you asked me to do, however:

C:\WINDOWS\system32\lnwin.exe - This file was not there on my computer.

C:\WINDOWS\system32\a3dxq.dll - I was told that this was (being used by another person or program cannot delete)

Another question I have, is upon bootup, if i open my task manager (ctrlaltdelete) and look at the running processes, while there are no windows open, my computer always has an iexplore.exe of about 40,000k running. I'm not sure why this is or if its a problem, just seems kind of odd to me.

I removed all the online poker programs, I did not remove the p2p programs, but am not using them, I plan on getting rid of them, just need to take the files I've gotten from them that i want to keep.

Here are your requested logs, thanks again for all your continuing help, things seem to be running smoother with each fix.

**awf.txt


Find AWF report by noahdfear 2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~



25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\AIM\BAK

08/05/2005 02:08 PM 67,160 aim.exe
1 File(s) 67,160 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

02/08/2006 02:03 PM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

02/20/2006 11:09 PM 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\SPYWAR~1\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

09/20/2005 08:32 AM 77,824 hkcmd.exe
09/20/2005 08:36 AM 114,688 igfxpers.exe
09/20/2005 08:35 AM 94,208 igfxtray.exe
11/14/2004 04:49 PM 155,648 NeroCheck.exe
4 File(s) 442,368 bytes

Directory of C:\PROGRA~1\NETWOR~1\COMMON~1\BAK

08/06/2004 03:50 AM 139,320 UpdaterUI.exe
1 File(s) 139,320 bytes

Directory of C:\PROGRA~1\NETWOR~1\VIRUSS~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\LAUNCH\BAK

11/02/2005 10:01 PM 50,792 AOLLaunch.exe
1 File(s) 50,792 bytes

Directory of C:\PROGRA~1\COMMON~1\NETWOR~1\TALKBACK\BAK

10/07/2003 09:48 AM 147,514 tbmon.exe
1 File(s) 147,514 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

03/26/2005 05:44 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~2.0_0\BIN\BAK

05/03/2006 01:56 AM 36,975 jusched.exe
1 File(s) 36,975 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\113660~1\EE\BAK

11/02/2005 10:01 PM 50,792 AOLSoftware.exe
1 File(s) 50,792 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

67112 Aug 1 2006 "C:\Program Files\AIM\aim.exe"
67160 Aug 5 2005 "C:\Program Files\AIM\bak\aim.exe"
28962 Oct 30 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 Feb 8 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
28962 Oct 30 2006 "C:\Program Files\QuickTime\qttask.exe"
155648 Feb 20 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
28962 Oct 30 2006 "C:\WINDOWS\system32\hkcmd.exe"
77824 Sep 20 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
118784 Oct 27 2003 "C:\DELL\drivers\R69042\Graphics\Win2000\hkcmd.exe"
118784 Oct 27 2003 "C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\hkcmd.exe"
118784 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\hkcmd.exe"
118784 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\hkcmd.exe"
28962 Oct 30 2006 "C:\WINDOWS\system32\igfxpers.exe"
114688 Sep 20 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"
28962 Oct 30 2006 "C:\WINDOWS\system32\igfxtray.exe"
94208 Sep 20 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Oct 27 2003 "C:\DELL\drivers\R69042\Graphics\Win2000\igfxtray.exe"
155648 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\igfxtray.exe"
155648 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\igfxtray.exe"
94208 Sep 20 2005 "C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\igfxtray.exe"
28962 Oct 30 2006 "C:\WINDOWS\system32\NeroCheck.exe"
155648 Nov 14 2004 "C:\WINDOWS\system32\bak\NeroCheck.exe"
155648 Nov 14 2004 "C:\Program Files\i2hub\Downloads\Nero Burning ROM 6.0.0.0 Ultra Edition with Keymaker and Serial\Setup\System\NeroCheck.exe"
151552 Oct 15 2001 "C:\Program Files\CyberLink\Common\UpdateIPR.exe"
28962 Oct 30 2006 "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
139320 Aug 6 2004 "C:\Program Files\Network Associates\Common Framework\bak\UpdaterUI.exe"
50792 Nov 2 2005 "C:\Program Files\Common Files\AOL\1136602146\ee\aollaunch.exe"
50792 Nov 2 2005 "C:\Program Files\Common Files\AOL\Launch\bak\AOLLaunch.exe"
147514 Oct 7 2003 "C:\Program Files\Common Files\Network Associates\TalkBack\bak\tbmon.exe"
180269 Mar 26 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
36975 May 3 2006 "C:\Program Files\Java\jre1.5.0_07\bin\bak\jusched.exe"
50792 Nov 2 2005 "C:\Program Files\Common Files\AOL\1136602146\ee\bak\AOLSoftware.exe"


end of report


**hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 1:59:06 PM, on 2/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mail-www.oit.umass.edu/horde/imp/ns...hp?reason=login
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136602146\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SmartWhois - {FD9DE2B4-C926-4460-81C4-FC58C6F1062E} - C:\PROGRA~1\SMARTW~1\swmsiehlp.exe
O9 - Extra button: (no name) - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - C:\PROGRA~1\SMARTW~1\swmsiehlp.exe
O9 - Extra 'Tools' menuitem: SmartWhois - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - C:\PROGRA~1\SMARTW~1\swmsiehlp.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 27 February 2007 - 04:55 PM

Hello coop1333,

Another question I have, is upon bootup, if i open my task manager (ctrlaltdelete) and look at the running processes, while there are no windows open, my computer always has an iexplore.exe of about 40,000k running. I'm not sure why this is or if its a problem, just seems kind of odd to me.

Try ending this task, see if it has any effect. It may be caused by malware, so I'd like to know if you still experience it once we've got rid of everything. If not, we can try to sort it our for you.
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Open up HijackThis.
Click Open the Misc Tools section | Delete a File on Reboot.
Copy and paste the following into the box, then click Open:
C:\WINDOWS\system32\a3dxq.dll
It will ask you if you want to reboot your computer now, please select Yes.

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Copy and paste the following text into Notepad:
@echo off
if exist "C:\Program Files\AIM\aim.exe" 
del /q "C:\Program Files\AIM\aim.exe"
copy "C:\Program Files\AIM\BAK\aim.exe" "C:\Program Files\AIM"
if exist "C:\Program Files\iTunes\iTunesHelper.exe" 
del /q "C:\Program Files\iTunes\iTunesHelper.exe"
copy "C:\Program Files\iTunes\bak\iTunesHelper.exe" "C:\Program Files\iTunes"
if exist "C:\Program Files\QuickTime\qttask.exe" 
del /q "C:\Program Files\QuickTime\qttask.exe"
copy "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime"
if exist "C:\WINDOWS\system32\hkcmd.exe" 
del /q "C:\WINDOWS\system32\hkcmd.exe"
copy "C:\WINDOWS\system32\bak\hkcmd.exe" "C:\WINDOWS\system32"
if exist "C:\WINDOWS\system32\igfxpers.exe" 
del /q "C:\WINDOWS\system32\igfxpers.exe"
copy "C:\WINDOWS\system32\bak\igfxpers.exe" "C:\WINDOWS\system32"
if exist "C:\WINDOWS\system32\igfxtray.exe" 
del /q "C:\WINDOWS\system32\igfxtray.exe"
copy "C:\WINDOWS\system32\bak\igfxtray.exe" "C:\WINDOWS\system32"
if exist "C:\WINDOWS\system32\NeroCheck.exe" 
del /q "C:\WINDOWS\system32\NeroCheck.exe"
copy "C:\WINDOWS\system32\bak\NeroCheck.exe" "C:\WINDOWS\system32"
if exist "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" 
del /q "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
copy "C:\Program Files\Network Associates\Common Framework\bak\UpdaterUI.exe" "C:\Program Files\Network Associates\Common Framework"
if exist "C:\Program Files\Common Files\AOL\1136602146\ee\aollaunch.exe" 
del /q "C:\Program Files\Common Files\AOL\1136602146\ee\aollaunch.exe"
copy "C:\Program Files\Common Files\AOL\Launch\bak\AOLLaunch.exe" "C:\Program Files\Common Files\AOL\1136602146\ee"
if exist "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" 
del /q "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
copy "C:\Program Files\Common Files\Network Associates\TalkBack\bak\tbmon.exe" "C:\Program Files\Common Files\Network Associates\TalkBack"
if exist "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" 
del /q "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
copy "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" "C:\Program Files\Common Files\Real\Update_OB"
if exist "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" 
del /q "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
copy "C:\Program Files\Java\jre1.5.0_07\bin\bak\jusched.exe" "C:\Program Files\Java\jre1.5.0_07\bin"
exit
Save this as "awf.bat" Choose to save as *all files and place it on your Desktop.
Double-click awf.bat.

Next, please find and delete the following folders (if present):

C:\Program Files\AIM\BAK
C:\Program Files\iTunes\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\system32\bak
C:\Program Files\Network Associates\Common Framework\bak
C:\Program Files\Common Files\AOL\Launch\bak
C:\Program Files\Common Files\Network Associates\TalkBack\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Java\jre1.5.0_07\bin\bak

Reboot into Normal Mode again.

Please post back a new HijackThis log, and a new AWF log,
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 coop1333

coop1333
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 27 February 2007 - 08:39 PM

Hey -

I finished all of those steps, here are the logs you requested:

On another note, the iexplore.exe of 60000k or so still starts up when windows boots up even though i see no internet explorer windows open. I can end the task but just wondering if you have any idea of what this is or if it could be a problem.

Thanks again!

- Coop


****AWF Log



Find AWF report by noahdfear 2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~



25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SPYWAR~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\NETWOR~1\VIRUSS~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\113660~1\EE\BAK

11/02/2005 10:01 PM 50,792 AOLSoftware.exe
1 File(s) 50,792 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

50792 Nov 2 2005 "C:\Program Files\Common Files\AOL\1136602146\ee\bak\AOLSoftware.exe"


end of report



****HiJackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 8:34:12 PM, on 2/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mail-www.oit.umass.edu/horde/imp/ns...hp?reason=login
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136602146\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SmartWhois - {FD9DE2B4-C926-4460-81C4-FC58C6F1062E} - C:\PROGRA~1\SMARTW~1\swmsiehlp.exe
O9 - Extra button: (no name) - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - C:\PROGRA~1\SMARTW~1\swmsiehlp.exe
O9 - Extra 'Tools' menuitem: SmartWhois - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - C:\PROGRA~1\SMARTW~1\swmsiehlp.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 28 February 2007 - 10:18 AM

Hello again,
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Copy and paste the following text into Notepad:
@echo off
if exist "C:\Program Files\Common Files\AOL\1136602146\ee\AOLSoftware.exe" 
del /q "C:\Program Files\Common Files\AOL\1136602146\ee\AOLSoftware.exe"
copy "C:\Program Files\Common Files\AOL\1136602146\ee\BAK\AOLSoftware.exe" "C:\Program Files\Common Files\AOL\1136602146\ee"
exit
Save this as "leftovers.bat" Choose to save as *all files and place it on your Desktop.
Double-click leftovers.bat.

Reboot into Safe Mode and delete these folders:

C:\Program Files\Messenger\BAK
C:\Program Files\Spyware Doctor\BAK
C:\Program Files\Network Associates\VirusScan\BAK
C:\Program Files\Common Files\AOL\1136602146\ee\BAK

Let's clean out your temporary internet files:
Close all open windows before we start.
Go to Start | Control Panel | Internet Options | General.
Click the Delete Cookies button.
Next to it, click the Delete Files button.
When prompted, place a check in: 'Delete all offline content', click OK

If you have Firefox installed, we need to clean out these temporary files as well:
Go to Tools | Options.
Click Privacy.
Press the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to finish, before closing it.
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

Now we'll clean other temporary files and your Recycle Bin:
Go to Start | Run | type: cleanmgr | OK.
Let it scan your system for files to remove.
Make sure 'Temporary Files', 'Temporary Internet Files', and 'Recycle Bin' are the only things checked.
Press OK to remove them.

Reboot into Normal Mode again.

Please run Panda's ActiveScan.
Once you are on the Panda site click the Scan your PC button
A new window will open, click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan completes, click the See Report button.
Click Save Report and save the file to your Desktop, so you can post this log in your next reply.

Please include the Panda report, and a [n]new AWF log[/b] in your next post.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 coop1333

coop1333
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 28 February 2007 - 01:06 PM

Hey Charles -

Okay completed all the steps, but had one thing to point out:

While scanning with panda, my virus scanner (McAfee) found the following

problems:

Name: update.exe
In Folder: C:\program files\common files\{B416DA83-0AED-1033-0820-040203200001}\Update.exe
Detected as: generic downloader.k
Type: trojan
status: deleted
application: iexplore.exe

Name: PAGE[1].HTM.VIR
In Folder: c:\quarantine\page[1].htm.Vir
Detected as: JS/downloader-AUD
Detection type: trojan
Status: Moved (clean failed)
application: iexplore.exe

Name: PAGE[1].HTM.VIR.0
In Folder: c:\quarantine\page[1].htm.Vir.0
Detected as: JS/downloader-AUD
Detection type: trojan
Status: Moved (clean failed)
application: iexplore.exe

The update.exe file also came up a second time on the virus scanner, and was deleted again. Same location and all.


Here are the logs:

***PANDA LOG


Incident Status Location

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atwola[10].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atwola[11].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atwola[12].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atwola[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atwola[3].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atwola[4].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atwola[5].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atwola[6].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atwola[7].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atwola[8].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atwola[9].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Adware:Adware/Adsmart Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\win32.exe
Virus:Trj/Alanchum.SH Disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\678RATUD\dd[1].exe
Virus:Trj/Alanchum.SH Disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YZI1234N\mm[1].exe
Virus:Trj/Alanchum.SH Disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YZI1234N\sm[1].exe
Adware:Adware/ActiveSearch Not disinfected C:\Program Files\Common Files\{B416DA83-063E-1033-0820-040203200001}\system.dll
Adware:Adware/ActiveSearch Not disinfected C:\Program Files\Common Files\{B416DA83-0AED-1033-0820-040203200001}\system.dll
Adware:Adware/SystemDoctor Not disinfected C:\Program Files\iTunes\iTunesHelper.exe
Adware:Adware/SystemDoctor Not disinfected C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
Adware:Adware/SystemDoctor Not disinfected C:\Program Files\QuickTime\qttask.exe
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\archive.jar-18c47286-12cb7bf9.zip.Vir[BlackBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\archive.jar-18c47286-12cb7bf9.zip.Vir[VB.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\archive.jar-18c47286-12cb7bf9.zip.Vir[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\archive.jar-18c47286-12cb7bf9.zip.Vir[Beyond.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\archive.jar-18f5afaf-7d431489.zip.Vir[BlackBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\archive.jar-18f5afaf-7d431489.zip.Vir[VB.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\archive.jar-18f5afaf-7d431489.zip.Vir[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\archive.jar-18f5afaf-7d431489.zip.Vir[Beyond.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\archive.jar-3076c06c-721a3d14.zip.Vir[BlackBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\archive.jar-3076c06c-721a3d14.zip.Vir[VB.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\archive.jar-3076c06c-721a3d14.zip.Vir[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\archive.jar-3076c06c-721a3d14.zip.Vir[Beyond.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\archive.jar-7aeeceeb-6b7e8142.zip.Vir[BlackBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\archive.jar-7aeeceeb-6b7e8142.zip.Vir[VB.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\archive.jar-7aeeceeb-6b7e8142.zip.Vir[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\archive.jar-7aeeceeb-6b7e8142.zip.Vir[Beyond.class]
Spyware:Generic Adware Not disinfected C:\quarantine\AVICodecPackLite3.exe.Vir
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\classload.jar-28e8d1c5-2af278f0.zip.Vir[GetAccess.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\classload.jar-28e8d1c5-2af278f0.zip.Vir[InsecureClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\classload.jar-28e8d1c5-2af278f0.zip.Vir[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\classload.jar-28e8d1c5-2af278f0.zip.Vir[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\classload.jar-2fdafaa7-2a9306b8.zip.Vir[GetAccess.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\classload.jar-2fdafaa7-2a9306b8.zip.Vir[InsecureClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\classload.jar-2fdafaa7-2a9306b8.zip.Vir[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\classload.jar-2fdafaa7-2a9306b8.zip.Vir[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\classload.jar-96d30d8-4bd6d3d2.zip.Vir[GetAccess.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\classload.jar-96d30d8-4bd6d3d2.zip.Vir[InsecureClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\classload.jar-96d30d8-4bd6d3d2.zip.Vir[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\classload.jar-96d30d8-4bd6d3d2.zip.Vir[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\count.jar-38f2bf29-3dc93ec1.zip.Vir[BlackBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\count.jar-38f2bf29-3dc93ec1.zip.Vir[VerifierBug.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\count.jar-38f2bf29-3dc93ec1.zip.Vir[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\count.jar-38f2bf29-3dc93ec1.zip.Vir[Beyond.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\count.jar-66caba6e-3ba55e25.zip.Vir[BlackBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\count.jar-66caba6e-3ba55e25.zip.Vir[VerifierBug.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\count.jar-66caba6e-3ba55e25.zip.Vir[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\count.jar-66caba6e-3ba55e25.zip.Vir[Beyond.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\count.jar-7a9cf13e-79c06f65.zip.Vir[BlackBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\count.jar-7a9cf13e-79c06f65.zip.Vir[VerifierBug.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\count.jar-7a9cf13e-79c06f65.zip.Vir[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\count.jar-7a9cf13e-79c06f65.zip.Vir[Beyond.class]
Spyware:Spyware/Petro-Line Not disinfected C:\quarantine\enter[1].cab.Vir
Hacktool:Hacktool/ScanLine Not disinfected C:\quarantine\foundstone_tools.zip.Vir[scanline.zip][sl.exe]
Adware:Adware/CWS.Searchmeup Not disinfected C:\quarantine\java.jar-5f22f99-7c59df29.zip.Vir[GetAccess.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\quarantine\java.jar-5f22f99-7c59df29.zip.Vir[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\java.jar-5f22f99-7c59df29.zip.Vir[NewSecurityClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\java.jar-5f22f99-7c59df29.zip.Vir[NewURLClassLoader.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\quarantine\java.jar-7d4dc020-1e7a4336.zip.Vir[GetAccess.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\quarantine\java.jar-7d4dc020-1e7a4336.zip.Vir[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\java.jar-7d4dc020-1e7a4336.zip.Vir[NewSecurityClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\java.jar-7d4dc020-1e7a4336.zip.Vir[NewURLClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\loaderadv525.jar-3eb62c76-5e08d874.zip.Vir[Matrix.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\loaderadv525.jar-3eb62c76-5e08d874.zip.Vir[Counter.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\loaderadv525.jar-3eb62c76-5e08d874.zip.Vir[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\quarantine\loaderadv525.jar-3eb62c76-5e08d874.zip.Vir[Parser.class]
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\quarantine\Pstools.zip.Vir[pskill.exe]
Potentially unwanted tool:Application/Psexec.A Not disinfected C:\quarantine\Pstools.zip.Vir[psexec.exe]
Hacktool:Rootkit/Nurech.A Not disinfected C:\quarantine\wincom32.sys.Vir
Adware:Adware/ActiveSearch Not disinfected C:\RECYCLER\S-1-5-18\Dc1\system.dll
Adware:Adware/ActiveSearch Not disinfected C:\RECYCLER\S-1-5-18\Dc2\system.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Virus:Trj/Alanchum.SH Disinfected C:\SDFix\backups\backups.zip[backups/6.dllb]
Adware:Adware/Adsmart Not disinfected C:\SDFix\backups\backups.zip[backups/kernels88.exe]
Virus:Trj/Alanchum.SH Disinfected C:\SDFix\backups\backups.zip[backups/ma.exe.exe]
Adware:Adware/Pics-Factory Not disinfected C:\SDFix\backups\backups.zip[backups/svchosts.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\virusstuff\smitRem\Process.exe
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\WINDOWS\Downloaded Program Files\UERS_9999_N91S2507NetInstaller.exe
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\hkcmd.exe
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\igfxpers.exe
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\igfxtray.exe
Virus:Trj/Alanchum.SH Disinfected C:\WINDOWS\system32\mm.exe
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\NeroCheck.exe

****AWF LOG


Find AWF report by noahdfear 2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~



25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report


***HIJACKTHIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 1:03:28 PM, on 2/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mail-www.oit.umass.edu/horde/imp/ns...hp?reason=login
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136602146\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SmartWhois - {FD9DE2B4-C926-4460-81C4-FC58C6F1062E} - C:\PROGRA~1\SMARTW~1\swmsiehlp.exe
O9 - Extra button: (no name) - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - C:\PROGRA~1\SMARTW~1\swmsiehlp.exe
O9 - Extra 'Tools' menuitem: SmartWhois - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - C:\PROGRA~1\SMARTW~1\swmsiehlp.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe



Thanks for all of your continuing help, you guys are great.

- Coop

#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 01 March 2007 - 11:41 AM

Hey there,
Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the Desktop but do not run it.

Reboot into Safe Mode

Paste the following bold part into the Suspicious File Packer window:
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxtray.exe

Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.
Please let me know when you have submitted the files.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 coop1333

coop1333
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 01 March 2007 - 02:31 PM

Files have been posted.


Thanks Charles,

- Coop

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 02 March 2007 - 02:29 AM

Hello Coop,
Give me a while to take a look at those files and I'll get back to you as soon as possible. :thumbsup:

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 02 March 2007 - 12:41 PM

Hello there,
The files you submitted are infected, but don't worry, we'll try and clean you up. There is a possibility that you may have become reinfected, so I'd like to to post me another FindAWF log in your next reply, please.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#14 coop1333

coop1333
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 02 March 2007 - 02:21 PM

Find AWF report by noahdfear 2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~



25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#15 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 03 March 2007 - 12:34 PM

Do you still have the "bak" folders in your Recycle Bin?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users