Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Adware: Win32/newdotnet


  • This topic is locked This topic is locked
11 replies to this topic

#1 IT_Guy

IT_Guy

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 09 April 2007 - 03:39 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:30:51 PM, on 4/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\kernels32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\FACSys\FACSys Mail Printer\faxmail.exe
C:\WINDOWS\HPLiteSaver.exe
\schw2k1\Install Disks\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://infosource.hrh.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://infosource.hrh.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://125.212.52.245/dc/605132802/5050/21...1175718345.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {199631E4-F6EE-4148-6AA9-8F68CC567D89} - C:\Program Files\Movie Maker\labuvumic.dll (file missing)
O2 - BHO: DeskalertsBHO - {5298B64F-C3F6-4e81-8A30-627CA3671C7C} - C:\Program Files\DeskAlerts\deskbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\tmp14.tmp.dll
O2 - BHO: Helper Class - {890C7964-9320-4055-BE11-7D7B562A6417} - C:\WINDOWS\system32\mstrans.dll
O2 - BHO: (no name) - {fecd3c99-511e-42ed-84b1-276c0b26311d} - C:\WINDOWS\system32\autdlt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Java Web Start] C:\WINDOWS\TEMP\1B0.tmp
O4 - HKLM\..\Run: [winctl] winctl.exe /install
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\yaxyab.dll",realset
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels32.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FACSys Mail Printer.lnk = C:\Program Files\FACSys\FACSys Mail Printer\faxmail.exe
O4 - Global Startup: HP Display LiteSaver Startup.lnk = C:\WINDOWS\HPLiteSaver.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\jqxjlavsm.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jqxjlavsm.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jqxjlavsm.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jqxjlavsm.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jqxjlavsm.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jqxjlavsm.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jqxjlavsm.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jqxjlavsm.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jqxjlavsm.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jqxjlavsm.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jqxjlavsm.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jqxjlavsm.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jqxjlavsm.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jqxjlavsm.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jqxjlavsm.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jqxjlavsm.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jqxjlavsm.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jqxjlavsm.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\jqxjlavsm.dll
O14 - IERESET.INF: START_PAGE_URL=http://infosource.hrh.com
O15 - Trusted Zone: www.brokeragebuilder.com
O15 - Trusted Zone: *.hrh.com
O15 - Trusted Zone: *.mywaveportal.com
O15 - Trusted Zone: *.skillport.com
O15 - Trusted Zone: *.skillsoft.com
O15 - Trusted Zone: www.brokeragebuilder.com (HKLM)
O15 - Trusted Zone: *.hrh.com (HKLM)
O15 - Trusted Zone: *.mywaveportal.com (HKLM)
O15 - Trusted Zone: *.skillport.com (HKLM)
O15 - Trusted Zone: *.skillsoft.com (HKLM)
O16 - DPF: {133FB0BC-5EB8-11D2-AA17-00104B0753B3} (Artizan.Artiload) - https://wp4.sagitta-online.com/hrhmw/Sagitt...ve/Artiload.CAB
O16 - DPF: {16A31F60-60A4-4E06-A23F-0F7682A6A2C9} (AMSIDvalet.IDbot) - https://wp4.sagitta-online.com/hrhmw/Sagitt.../AMSIDvalet.CAB
O16 - DPF: {16AF6C10-0D0A-4B65-8866-ABE32D26F256} (AmsInet Control) - https://wp4.sagitta-online.com/hrhmw/Sagitt...ive/AMSInet.cab
O16 - DPF: {358D1451-9F77-4D6E-97EE-89BF9AA3A8CC} (CBDAMS.ctlCBDAMS) - https://wp4.sagitta-online.com/hrhmw/Sagitt...tive/CBDAMS.CAB
O16 - DPF: {42B9A659-1A02-11D3-A58E-00104B0753B3} (PageMaster.Controler) - https://wp4.sagitta-online.com/hrhmw/Sagitt.../PageMaster.CAB
O16 - DPF: {44705D5B-A145-11D4-9DD0-00805F010928} (GetWord.AMSDocument) - https://wp4.sagitta-online.com/hrhmw/Sagitt...ive/GetWord.CAB
O16 - DPF: {4EEE32DD-0DA0-11D1-9716-0000C0C9767A} (SeaReach 3.0 Application Object) - https://eforms7.sagitta-online.com/AMSeForms/rakis.cab
O16 - DPF: {51562FAD-DC70-11D2-BFF0-00105A97F884} (AMSCopyMergeControl.AMSCopyMerge) - https://wp4.sagitta-online.com/hrhmw/Sagitt...MSCopyMerge.CAB
O16 - DPF: {629F093A-068F-48BE-B8F7-C510302F6AE2} (AeFHistCtrl.AeFHisFrm) - https://eforms7.sagitta-online.com/AMSeForms/AeFHist.CAB
O16 - DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} (PopupMenu Object) - https://eforms7.sagitta-online.com/AMSeForms/iemenu.cab
O16 - DPF: {943FDFA6-C7FE-11D2-AA17-3C3A09C10000} (AMSTransfer.main) - https://wp4.sagitta-online.com/hrhmw/Sagitt...AMSTransfer.CAB
O16 - DPF: {A1B77D23-31EE-11D2-AA17-00104B0753B3} (asynchtree.tree) - https://wp4.sagitta-online.com/hrhmw/Sagitt.../asynchtree.CAB
O16 - DPF: {C4DD002B-53B1-11D2-AA17-00104B0753B3} (AsynchGrid.Grid) - https://wp4.sagitta-online.com/hrhmw/Sagitt.../AsynchGrid.CAB
O16 - DPF: {C87910BF-030D-4D9D-B1D9-A17936F3A863} (AMSEXInt.SagExCtl) - https://wp4.sagitta-online.com/hrhmw/Sagitt...ve/AMSEXInt.CAB
O16 - DPF: {D2152F13-9949-4A3A-9DDD-4E62BCD3862E} (AeFEmailProject.AeFEmailControl) - https://eforms7.sagitta-online.com/AMSeForms/aefem.cab
O16 - DPF: {DF29403F-0E3C-46D2-9035-5CE999EFC10F} (AeFPrintDialog Control) - https://eforms7.sagitta-online.com/AMSeForms/amseforms.cab
O16 - DPF: {E5F3552D-6AEC-11D0-A8A1-0000C0B3632C} (LanYard 3.0 Application Object) - https://eforms7.sagitta-online.com/AMSeForms/rakis.cab
O16 - DPF: {E64DAB43-9B91-11D4-A857-00C04F21F657} (Skylon 1.0 Application Object) - https://eforms7.sagitta-online.com/AMSeForms/rakis.cab
O16 - DPF: {EDF59A80-77FB-4368-920E-27904A98172D} (AeFClCtrl.AeFFormsCl) - https://eforms7.sagitta-online.com/AMSeForms/amseforms.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - https://eforms7.sagitta-online.com/AMSeForms/ikmenu.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MW.HRH.COM
O17 - HKLM\Software\..\Telephony: DomainName = MW.HRH.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MW.HRH.COM
O20 - AppInit_DLLs:
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


I am not a pro at reading these but the line with IP address 125.212.52.245 in it does not look right. Either way please help and assist.

I have scanned this machine with Symantec Anti Virus close to 10 times(each time comes back clean), scanned it with Spybot(comes back clean), Adware(comes back clean) and Windows Defender(detects win32/newdotnet). All scans have been full aggressive scans.

Please help.

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 09 April 2007 - 05:37 PM

Welcome to the BleepingComputer HijackThis forum IT_Guy :thumbsup:

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as..Save as Type: 'All Files' File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-

*******************************

Download LSPFix from:
http://www.bleepingcomputer.com/files/spyware/lspfix.zip
Once LSP-Fix is downloaded, extract it to your desktop.
Close all windows on your computer.
Launch/start lspfix.
Put a checkmark in the 'I know what I'm doing' checkbox.
Now move any instances of "jqxjlavsm.dll" into the remove box using the >> button.
Press the finish button.
Then reboot.

*******************************

Download DelDomains.zip and extract/unzip it to your desktop:
Now right click on Deldomains.inf then click on 'Install'.
After right clicking on Deldomains.inf 'Install' it will have appeared nothing happened,this is normal.

*******************************

Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

*******************************

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: 0 - {199631E4-F6EE-4148-6AA9-8F68CC567D89} - C:\Program Files\Movie Maker\labuvumic.dll (file missing)
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\tmp14.tmp.dll
O2 - BHO: Helper Class - {890C7964-9320-4055-BE11-7D7B562A6417} - C:\WINDOWS\system32\mstrans.dll
O2 - BHO: (no name) - {fecd3c99-511e-42ed-84b1-276c0b26311d} - C:\WINDOWS\system32\autdlt.dll
O4 - HKLM\..\Run: [Java Web Start] C:\WINDOWS\TEMP\1B0.tmp
O4 - HKLM\..\Run: [winctl] winctl.exe /install
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\yaxyab.dll",realset
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels32.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

Exit Hijackthis.

Find and delete if present:
C:\WINDOWS\system32\tmp14.tmp.dll
C:\WINDOWS\system32\mstrans.dll
C:\WINDOWS\system32\autdlt.dll
C:\WINDOWS\system32\kernels32.exe
C:\WINDOWS\TEMP<-Delete everything inside this Temp folder.
C:\WINDOWS\yaxyab.dll
winctl.exe
C:\PROGRAM FILES\NEWDOTNET or NEWNET

Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

Post the AVG Anti Spyware report and a new Hijackthis log into your next reply please.
Posted Image
Posted Image

#3 IT_Guy

IT_Guy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 10 April 2007 - 11:52 AM

RichieUK,

Thank you for replying to my problem. I followed your instructions as close as i could. I had some trouble starting in Safe mode. For some reason everytime I rebooted in Safe mode my DCOM Server Process would fail unexpectedly and my computer would prompt me it was going to restart. So I deleted the files that i could. Here are the two reports, one from AVG and the other from Hijack This.


********AVG Report************

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:36:54 AM 4/10/2007

+ Scan result:



C:\Documents and Settings\sajrt\Local Settings\Temporary Internet Files\Content.IE5\WDYF01MV\NNSKYA638[1].exe -> Adware.NewDotNet : Cleaned.
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP714\A0039992.exe -> Adware.NewDotNet : Cleaned.
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP714\A0039993.exe -> Adware.NewDotNet : Cleaned.
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP714\A0039998.dll -> Adware.NewDotNet : Cleaned.
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP715\A0040112.exe -> Adware.NewDotNet : Cleaned.
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP715\A0040113.exe -> Adware.NewDotNet : Cleaned.
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP715\A0040115.exe -> Adware.NewDotNet : Cleaned.
C:\Documents and Settings\ddazzo\Cookies\ddazzo@aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\ddazzo\Cookies\ddazzo@adc.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\ddazzo\Cookies\ddazzo@getmusicfree.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\ddazzo\Cookies\ddazzo@pan.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\ddazzo\Cookies\ddazzo@prizeamerica.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\ddazzo\Cookies\ddazzo@psu.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\sajrt\Cookies\sajrt@aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\sajrt\Cookies\sajrt@arn.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\sajrt\Cookies\sajrt@dssatlascreditgroup.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\sajrt\Cookies\sajrt@getmusicfree.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\sajrt\Cookies\sajrt@prizeamerica.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\ddazzo\Cookies\ddazzo@rotator.its.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\ddazzo\Cookies\ddazzo@track.adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\sajrt\Cookies\sajrt@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\ddazzo\Cookies\ddazzo@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\sajrt\Cookies\sajrt@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\sajrt\Local Settings\Temp\Cookies\sajrt@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\sajrt\Cookies\sajrt@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\sajrt\Cookies\sajrt@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\sajrt\Cookies\sajrt@ehg-maniatv.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\sajrt\Cookies\sajrt@ehg-traderpublishing.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\sajrt\Cookies\sajrt@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\sajrt\Cookies\sajrt@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\ddazzo\Cookies\ddazzo@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\sajrt\Cookies\sajrt@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\ddazzo\Cookies\ddazzo@h.starware[1].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\ddazzo\Cookies\ddazzo@try.starware[1].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\sajrt\Cookies\sajrt@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\sajrt\Cookies\sajrt@reduxads.valuead[2].txt -> TrackingCookie.Valuead : Cleaned.
C:\Documents and Settings\sajrt\Cookies\sajrt@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\sajrt\Cookies\sajrt@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\sajrt\Cookies\sajrt@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.


::Report end

*************END Report*******************



**********Hijack This Report**************

Logfile of HijackThis v1.99.1
Scan saved at 11:44:02 AM, on 4/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\FACSys\FACSys Mail Printer\faxmail.exe
C:\WINDOWS\HPLiteSaver.exe
\schw2k1\Install Disks\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://infosource.hrh.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://infosource.hrh.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://125.212.52.245/dc/605132802/5050/21...1175718345.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by HRH Midwest Region
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DeskalertsBHO - {5298B64F-C3F6-4e81-8A30-627CA3671C7C} - C:\Program Files\DeskAlerts\deskbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {fecd3c99-511e-42ed-84b1-276c0b26311d} - C:\WINDOWS\system32\autdlt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [winctl] winctl.exe /install
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FACSys Mail Printer.lnk = C:\Program Files\FACSys\FACSys Mail Printer\faxmail.exe
O4 - Global Startup: HP Display LiteSaver Startup.lnk = C:\WINDOWS\HPLiteSaver.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://infosource.hrh.com
O16 - DPF: {133FB0BC-5EB8-11D2-AA17-00104B0753B3} (Artizan.Artiload) - https://wp4.sagitta-online.com/hrhmw/Sagitt...ve/Artiload.CAB
O16 - DPF: {16A31F60-60A4-4E06-A23F-0F7682A6A2C9} (AMSIDvalet.IDbot) - https://wp4.sagitta-online.com/hrhmw/Sagitt.../AMSIDvalet.CAB
O16 - DPF: {16AF6C10-0D0A-4B65-8866-ABE32D26F256} (AmsInet Control) - https://wp4.sagitta-online.com/hrhmw/Sagitt...ive/AMSInet.cab
O16 - DPF: {358D1451-9F77-4D6E-97EE-89BF9AA3A8CC} (CBDAMS.ctlCBDAMS) - https://wp4.sagitta-online.com/hrhmw/Sagitt...tive/CBDAMS.CAB
O16 - DPF: {42B9A659-1A02-11D3-A58E-00104B0753B3} (PageMaster.Controler) - https://wp4.sagitta-online.com/hrhmw/Sagitt.../PageMaster.CAB
O16 - DPF: {44705D5B-A145-11D4-9DD0-00805F010928} (GetWord.AMSDocument) - https://wp4.sagitta-online.com/hrhmw/Sagitt...ive/GetWord.CAB
O16 - DPF: {4EEE32DD-0DA0-11D1-9716-0000C0C9767A} (SeaReach 3.0 Application Object) - https://eforms7.sagitta-online.com/AMSeForms/rakis.cab
O16 - DPF: {51562FAD-DC70-11D2-BFF0-00105A97F884} (AMSCopyMergeControl.AMSCopyMerge) - https://wp4.sagitta-online.com/hrhmw/Sagitt...MSCopyMerge.CAB
O16 - DPF: {629F093A-068F-48BE-B8F7-C510302F6AE2} (AeFHistCtrl.AeFHisFrm) - https://eforms7.sagitta-online.com/AMSeForms/AeFHist.CAB
O16 - DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} (PopupMenu Object) - https://eforms7.sagitta-online.com/AMSeForms/iemenu.cab
O16 - DPF: {943FDFA6-C7FE-11D2-AA17-3C3A09C10000} (AMSTransfer.main) - https://wp4.sagitta-online.com/hrhmw/Sagitt...AMSTransfer.CAB
O16 - DPF: {A1B77D23-31EE-11D2-AA17-00104B0753B3} (asynchtree.tree) - https://wp4.sagitta-online.com/hrhmw/Sagitt.../asynchtree.CAB
O16 - DPF: {C4DD002B-53B1-11D2-AA17-00104B0753B3} (AsynchGrid.Grid) - https://wp4.sagitta-online.com/hrhmw/Sagitt.../AsynchGrid.CAB
O16 - DPF: {C87910BF-030D-4D9D-B1D9-A17936F3A863} (AMSEXInt.SagExCtl) - https://wp4.sagitta-online.com/hrhmw/Sagitt...ve/AMSEXInt.CAB
O16 - DPF: {D2152F13-9949-4A3A-9DDD-4E62BCD3862E} (AeFEmailProject.AeFEmailControl) - https://eforms7.sagitta-online.com/AMSeForms/aefem.cab
O16 - DPF: {DF29403F-0E3C-46D2-9035-5CE999EFC10F} (AeFPrintDialog Control) - https://eforms7.sagitta-online.com/AMSeForms/amseforms.cab
O16 - DPF: {E5F3552D-6AEC-11D0-A8A1-0000C0B3632C} (LanYard 3.0 Application Object) - https://eforms7.sagitta-online.com/AMSeForms/rakis.cab
O16 - DPF: {E64DAB43-9B91-11D4-A857-00C04F21F657} (Skylon 1.0 Application Object) - https://eforms7.sagitta-online.com/AMSeForms/rakis.cab
O16 - DPF: {EDF59A80-77FB-4368-920E-27904A98172D} (AeFClCtrl.AeFFormsCl) - https://eforms7.sagitta-online.com/AMSeForms/amseforms.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - https://eforms7.sagitta-online.com/AMSeForms/ikmenu.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MW.HRH.COM
O17 - HKLM\Software\..\Telephony: DomainName = MW.HRH.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MW.HRH.COM
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

***********End Hijack This Report*****************


Thanks again.

IT_Guy

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 10 April 2007 - 12:27 PM

Download Killbox by Option^Explicit:
http://download.bleepingcomputer.com/spyware/KillBox.zip
Save it to your desktop.
Please double-click Killbox.exe to run it.
Select: 'Delete on Reboot'.
Then Click on the 'All Files' button.
Please copy ALL the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\winctl.exe
C:\WINDOWS\system32\autdlt.dll


Return to Killbox,go to the File menu,and choose 'Paste from Clipboard'.
Click the red-and-white Delete File button.
Click 'Yes' at the 'Delete on Reboot' prompt.
Click OK at any 'PendingFileRenameOperations' prompt.
If your computer does not restart automatically,please restart it manually.


After rebooting, open up Killbox again.
Click 'File'>'Logs'>'Actions History Log'.
Post this log in your next reply.

**************************

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {fecd3c99-511e-42ed-84b1-276c0b26311d} - C:\WINDOWS\system32\autdlt.dll
O4 - HKLM\..\Run: [winctl] winctl.exe /install


Fix this entry if you're absolutely certain you don't recognise it:
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://125.212.52.245/dc/605132802/5050/21...1175718345.html

Exit Hijackthis,restart your pc.
Post the Actions History Log from Killbox,and a new Hijackthis log into your next reply.
Let me know how the pc is running now please.
Posted Image
Posted Image

#5 IT_Guy

IT_Guy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 10 April 2007 - 01:25 PM

RichieUK,

Here are the new logs.


******Killbox Log*********
Pocket Killbox version 2.0.0.648
Running on Windows XP as sajrt(Administrator)
was started @ Tuesday, April 10, 2007, 12:52 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\winctl.exe


# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\autdlt.dll


# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\winctl.exe


# 4 [Delete on Reboot]
Path = C:\WINDOWS\system32\autdlt.dll


I Rebooted @ 12:56:23 PM
Killbox Closed(Exit) @ 12:56:23 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as sajrt(Administrator)
was started @ Tuesday, April 10, 2007, 1:01 PM

****End Killbox Log******************


******Hijack This Log************
Logfile of HijackThis v1.99.1
Scan saved at 1:08:57 PM, on 4/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\FACSys\FACSys Mail Printer\faxmail.exe
C:\WINDOWS\HPLiteSaver.exe
\schw2k1\Install Disks\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://infosource.hrh.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://infosource.hrh.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by HRH Midwest Region
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DeskalertsBHO - {5298B64F-C3F6-4e81-8A30-627CA3671C7C} - C:\Program Files\DeskAlerts\deskbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FACSys Mail Printer.lnk = C:\Program Files\FACSys\FACSys Mail Printer\faxmail.exe
O4 - Global Startup: HP Display LiteSaver Startup.lnk = C:\WINDOWS\HPLiteSaver.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://infosource.hrh.com
O16 - DPF: {133FB0BC-5EB8-11D2-AA17-00104B0753B3} (Artizan.Artiload) - https://wp4.sagitta-online.com/hrhmw/Sagitt...ve/Artiload.CAB
O16 - DPF: {16A31F60-60A4-4E06-A23F-0F7682A6A2C9} (AMSIDvalet.IDbot) - https://wp4.sagitta-online.com/hrhmw/Sagitt.../AMSIDvalet.CAB
O16 - DPF: {16AF6C10-0D0A-4B65-8866-ABE32D26F256} (AmsInet Control) - https://wp4.sagitta-online.com/hrhmw/Sagitt...ive/AMSInet.cab
O16 - DPF: {358D1451-9F77-4D6E-97EE-89BF9AA3A8CC} (CBDAMS.ctlCBDAMS) - https://wp4.sagitta-online.com/hrhmw/Sagitt...tive/CBDAMS.CAB
O16 - DPF: {42B9A659-1A02-11D3-A58E-00104B0753B3} (PageMaster.Controler) - https://wp4.sagitta-online.com/hrhmw/Sagitt.../PageMaster.CAB
O16 - DPF: {44705D5B-A145-11D4-9DD0-00805F010928} (GetWord.AMSDocument) - https://wp4.sagitta-online.com/hrhmw/Sagitt...ive/GetWord.CAB
O16 - DPF: {4EEE32DD-0DA0-11D1-9716-0000C0C9767A} (SeaReach 3.0 Application Object) - https://eforms7.sagitta-online.com/AMSeForms/rakis.cab
O16 - DPF: {51562FAD-DC70-11D2-BFF0-00105A97F884} (AMSCopyMergeControl.AMSCopyMerge) - https://wp4.sagitta-online.com/hrhmw/Sagitt...MSCopyMerge.CAB
O16 - DPF: {629F093A-068F-48BE-B8F7-C510302F6AE2} (AeFHistCtrl.AeFHisFrm) - https://eforms7.sagitta-online.com/AMSeForms/AeFHist.CAB
O16 - DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} (PopupMenu Object) - https://eforms7.sagitta-online.com/AMSeForms/iemenu.cab
O16 - DPF: {943FDFA6-C7FE-11D2-AA17-3C3A09C10000} (AMSTransfer.main) - https://wp4.sagitta-online.com/hrhmw/Sagitt...AMSTransfer.CAB
O16 - DPF: {A1B77D23-31EE-11D2-AA17-00104B0753B3} (asynchtree.tree) - https://wp4.sagitta-online.com/hrhmw/Sagitt.../asynchtree.CAB
O16 - DPF: {C4DD002B-53B1-11D2-AA17-00104B0753B3} (AsynchGrid.Grid) - https://wp4.sagitta-online.com/hrhmw/Sagitt.../AsynchGrid.CAB
O16 - DPF: {C87910BF-030D-4D9D-B1D9-A17936F3A863} (AMSEXInt.SagExCtl) - https://wp4.sagitta-online.com/hrhmw/Sagitt...ve/AMSEXInt.CAB
O16 - DPF: {D2152F13-9949-4A3A-9DDD-4E62BCD3862E} (AeFEmailProject.AeFEmailControl) - https://eforms7.sagitta-online.com/AMSeForms/aefem.cab
O16 - DPF: {DF29403F-0E3C-46D2-9035-5CE999EFC10F} (AeFPrintDialog Control) - https://eforms7.sagitta-online.com/AMSeForms/amseforms.cab
O16 - DPF: {E5F3552D-6AEC-11D0-A8A1-0000C0B3632C} (LanYard 3.0 Application Object) - https://eforms7.sagitta-online.com/AMSeForms/rakis.cab
O16 - DPF: {E64DAB43-9B91-11D4-A857-00C04F21F657} (Skylon 1.0 Application Object) - https://eforms7.sagitta-online.com/AMSeForms/rakis.cab
O16 - DPF: {EDF59A80-77FB-4368-920E-27904A98172D} (AeFClCtrl.AeFFormsCl) - https://eforms7.sagitta-online.com/AMSeForms/amseforms.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - https://eforms7.sagitta-online.com/AMSeForms/ikmenu.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MW.HRH.COM
O17 - HKLM\Software\..\Telephony: DomainName = MW.HRH.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MW.HRH.COM
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

*****End Hijack This log****************


Thanks.

IT_Guy

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 10 April 2007 - 02:40 PM

Your log is clean :thumbsup:
If all's ok,please do the following:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading unselect 'Show hidden files and folders'.
* Re-check the 'Hide file extensions for known types' option.
* Re-check the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

Please Note:
Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u1'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.
Posted Image
Posted Image

#7 IT_Guy

IT_Guy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 10 April 2007 - 02:47 PM

Its good to hear that the log looks clean but I am unfortunately still having problems with popups when I open IE.

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 10 April 2007 - 03:29 PM

Can you post any information about these popups please.

Download Winpfind V2.0.2 and extract the contents to your desktop:
http://download.bleepingcomputer.com/oldtimer/winpfind.exe
Open the WinPFind folder and double click on Winpfind.exe
Leave the configuation settings as they are and click on 'Run Scan'.
The scan will take some time to complete so please be patient.
Once complete close the program.
Open the WinPFind folder,then copy and paste the entire content of winpfind.txt into your next reply.
*NOTE*
It may take more than one reply to post the whole winpfind.txt.
Posted Image
Posted Image

#9 IT_Guy

IT_Guy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 10 April 2007 - 05:06 PM

RichieUK,

Attached is a screenshot of the error that i get when trying to run Winpfind. I get about 2-3 seconds into the scan and i get this message. Thanks.

IT_Guy

Attached Files



#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 10 April 2007 - 05:16 PM

Ok,try this instead:
Download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply please.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Posted Image

#11 IT_Guy

IT_Guy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 11 April 2007 - 11:19 AM

RichieUK,

Looks like my pc couldn't take anymore scanning and died on me. I downloaded the software and did the scan like you instructed but afterwards it could not boot up. I even tried safe mode and last known good configurations but they did not help either. I guess i am at the point of hooking up the hard drive as a slave and getting what was saved on it off and just wiping it clean and starting over.

From the scans, it looks like the adware/malware was pretty deep in the registry. Thanks again for the assistance. If in the future I need another Hijack this log analyzed, i know where to come.

IT_Guy

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 11 April 2007 - 12:25 PM

You're welcome and hope all goes well for you,thanks for the update :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users