Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Also Have The Smitfraud-c.toolbar888 Virus


  • Please log in to reply
5 replies to this topic

#1 RamenRules

RamenRules

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 08 May 2007 - 10:12 AM

I've seen some of the other users here get fixed with this computer virus so I'm now a new member here as well with the hope that you fine folks can help me out with this problem as well.

I have both IE and Firefox browsers on my laptop. IE appears to be the victim of some kind of hijacking. I get constant pop ups for various antivirus removal sites. Also when I have tried to browse to some of the legit anti virus sites, I will often get redirected to the less legit ones. When I try to shut those windows down, I usually get a pop up window which can't be deleted which forces me to shut down IE entirely thus making it close to useless while its in its current state. Firefox also has pop ups as well until I configured it to block them.

I've run Adaware and Spybot S&D. Spybot keeps finding the Smitfraud-c.toolbar888 entry which it can never delete. I have Avast home version antivirus installed and it has found a number of different viruses but there might be an issue with it right now at it cant seem to add newer items to the chest right now. I also tried running Bit Defender's free online scan and it also found a number of items mostly in my personal folder but IE crashed before it was able to finish its scan. I just installed Stinger and its running as I type this.

Here is the Hijack this log from yesterday afternoon:

Logfile of HijackThis v1.99.1
Scan saved at 4:08:17 PM, on 5/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Sierra Wireless Inc\AirCard 555\Verizon\Components\SwiWiFiComm.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telog.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telog.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.telog.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\help\tours\windowsmediaplayer\cnt\contents.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM32\content.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AirCardEnabler] "C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\xbkpkjiv.dll",realset
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HP Mobile Printing] C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O15 - Trusted Zone: http://*.hotmail.com
O15 - Trusted Zone: http://loginnet.passport.com
O15 - Trusted Zone: http://*.server4
O15 - Trusted Zone: http://dms.telog.com
O15 - Trusted Zone: http://www.telog.com
O15 - Trusted Zone: http://housecall.trendmicro.com
O15 - Trusted Zone: *.sxload.net (HKLM)
O16 - DPF: {2E1F8E94-B9A6-4D96-BE5D-38F69C13AC4B} (PCSWMMGraph.ctlGraph) - http://demo.craflowmonitoring.com/PCSWMM/PCSWMMGraph.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7C5A8649-B63F-4DB8-8F8C-D9DB55E9E158} (PCSWMMWebHGL.ctlHGL) - http://demo.craflowmonitoring.com/PCSWMM/PCSWMMWebHGL.CAB
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = telogvictor.com
O17 - HKLM\Software\..\Telephony: DomainName = telogvictor.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = telogvictor.com
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SwiWiFiComm - Unknown owner - C:\Program Files\Sierra Wireless Inc\AirCard 555\Verizon\Components\SwiWiFiComm.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe



Any help in fixing this computer is greatly appreciated.

Patiently yours,

Henry

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 08 May 2007 - 10:18 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum RamenRules :thumbsup:

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


**********************

Now go to:
C:\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.

Edited by RichieUK, 08 May 2007 - 10:18 AM.

Posted Image
Posted Image

#3 RamenRules

RamenRules
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 08 May 2007 - 11:40 AM

Hi RichieUK,

Thank you so very much for your prompt reply. :thumbsup:

Here is my ComboFix log file:

"Administrator" - 2007-05-08 12:00:47 Service Pack 2
ComboFix 07-05.08.3.V - Running from: "C:\Documents and Settings\Administrator\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\vydrkuqp.dll
C:\WINDOWS\system32\xbkpkjiv.dll
C:\WINDOWS\system32\jiiii.bak1
C:\WINDOWS\system32\jiiii.bak2
C:\WINDOWS\system32\jiiii.ini
C:\WINDOWS\system32\jiiii.ini2
C:\WINDOWS\system32\jiiii.tmp
C:\WINDOWS\system32\vijkpkbx.ini
C:\WINDOWS\system32\iiiij.dll
C:\WINDOWS\system32\rqrpqrs.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\DOCUME~1\ADMINI~1\Desktop.\internet explorer.lnk
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\ADMINI~1
C:\qoobox\purity\C\DOCUME~1\ADMINI~1\MYDOCU~1
C:\qoobox\purity\C\DOCUME~1\ADMINI~1\MYDOCU~1\MCROSO~1
C:\qoobox\purity\C\Program Files\Common Files\YSTEM~1


((((((((((((((((((((((((((((((( Files Created from 2007-04-08 to 2007-05-08 ))))))))))))))))))))))))))))))))))


2007-05-08 10:24 <DIR> d-------- C:\Stinger
2007-05-07 13:29 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-05-07 09:51 <DIR> d-------- C:\HijackThis
2007-05-07 09:06 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-04-22 07:34 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-22 07:34 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-22 07:34 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-22 07:33 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-22 07:33 90,112 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-04-22 07:33 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-22 07:33 733,824 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-04-21 15:01 <DIR> d-------- C:\Program Files\Common Files\Ódobe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-08 15:53:24 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Skype
2007-05-05 15:45:06 4,383 ----a-w C:\WINDOWS\mozver.dat
2007-05-05 15:45:02 -------- d-----w C:\Program Files\DivX
2007-04-24 23:30:23 -------- d-----w C:\Program Files\BitTorrent
2007-04-22 19:39:28 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\BitTorrent
2007-04-21 19:49:20 -------- d-----w C:\Program Files\Common Files\?dobe
2007-04-05 23:45:32 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\AdobeUM
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{00C6482D-C502-44C8-8409-FCE54AD9C208}"="C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll"
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AirCardEnabler"="\"C:\\Program Files\\Sierra Wireless Inc\\Network Adapter Manager\\Network Adapter Manager.exe\""
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"HP Mobile Printing"="C:\\Program Files\\Hewlett-Packard\\HP Mobile Printing\\HPBMOBIL.EXE"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HTTPFilter HTTPFilter\0\0
DcomLaunch DcomLaunch\0TermService\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##baginski2#dvd]
Shell\AutoRun\command Z:\Autorun\ShelExec.exe default.htm


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Telog Enterprise (ENETDEMO - ijij - student).job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-08 12:18:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\system.sav\CTO.TXT 4096 bytes
C:\system.sav\CTOHW.TXT 16 bytes
C:\system.sav\DAYLGSAV.reg 320 bytes
C:\system.sav\highgost.flg 32 bytes
C:\system.sav\info.bom 12288 bytes
C:\system.sav\ISLOGCHK.LOG 4096 bytes
C:\system.sav\logoff.bat 112 bytes
C:\system.sav\logoff.reg 288 bytes
C:\system.sav\mergelog.log 4096 bytes
C:\system.sav\REBOOT.ME 48 bytes
C:\system.sav\REGDEV.LOG 96 bytes
C:\system.sav\REGFLUSH.LOG 4096 bytes
C:\system.sav\RegionCF
C:\system.sav\RegionCF\euro.reg 216 bytes
C:\system.sav\RmDev.log 8192 bytes
C:\system.sav\util
C:\system.sav\util\AppEvBk1.old 65536 bytes
C:\system.sav\util\Audio.log 168 bytes
C:\system.sav\util\bootldr.flg 0 bytes
C:\system.sav\util\BOOTSEC.NT4 512 bytes
C:\system.sav\util\brand.exe 163840 bytes
C:\system.sav\util\BrandIt.Log 4096 bytes
C:\system.sav\util\CHKIMAGE.exe 118784 bytes
C:\system.sav\util\CIA.CDC 57344 bytes
C:\system.sav\util\CIA.INI 69632 bytes
C:\system.sav\util\CMDOOBE.CMD 72 bytes
C:\system.sav\util\CMDSWSET.CMD 64 bytes
C:\system.sav\util\COMPDATA.INI 4096 bytes
C:\system.sav\util\cvacompg.exe 184320 bytes
C:\system.sav\util\delcia.flg 32 bytes
C:\system.sav\util\DelDir.exe 36864 bytes
C:\system.sav\util\hpqnt.dll 90112 bytes
C:\system.sav\util\hsc.log 88 bytes
C:\system.sav\util\infobomg.exe 172032 bytes
C:\system.sav\util\INSTALL.LOG 274432 bytes
C:\system.sav\util\ISLOGCHK.EXE 110592 bytes
C:\system.sav\util\ISLOGCHK.INI 112 bytes
C:\system.sav\util\make_rtr.flg 136 bytes
C:\system.sav\util\mobproc.flg 136 bytes
C:\system.sav\util\oca.reg 352 bytes
C:\system.sav\util\oca_mrk.bat 256 bytes
C:\system.sav\util\oobe.min 144 bytes
C:\system.sav\util\oobe.wpe 4096 bytes
C:\system.sav\util\osexclude.txt 176 bytes
C:\system.sav\util\PININST.INI 48 bytes
C:\system.sav\util\PININST.LOG 0 bytes
C:\system.sav\util\POSTOOBE.CMD 456 bytes
C:\system.sav\util\POSTOOBE.LOG 24 bytes
C:\system.sav\util\postproc.ini 544 bytes
C:\system.sav\util\powerset.log 88 bytes
C:\system.sav\util\PREINCHK.BAT 184 bytes
C:\system.sav\util\random.ini 40 bytes
C:\system.sav\util\REGDEV.EXE 106496 bytes
C:\system.sav\util\REGDEV.INI 528 bytes
C:\system.sav\util\RMDEV.CMD 368 bytes
C:\system.sav\util\RMICONS.LOG 8 bytes
C:\system.sav\util\RMUSBDEV.CMD 504 bytes
C:\system.sav\util\RPC_KB823980.log 32 bytes
C:\system.sav\util\SecEvBk1.old 65536 bytes
C:\system.sav\util\sedxp.log 192 bytes
C:\system.sav\util\SUNJAVA.log 32768 bytes
C:\system.sav\util\SWSETUP.BTO 424 bytes
C:\system.sav\util\SWSETUP.CMD 136 bytes
C:\system.sav\util\SysEvBk1.old 65536 bytes
C:\system.sav\util\touchpad.log 192 bytes
C:\system.sav\util\WMI.BAT 48 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 66


********************************************************************

Completion time: 2007-05-08 12:20:32 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-08 12:20


Here is my new Hijackthis log file:

Logfile of HijackThis v1.99.1
Scan saved at 12:26:32 PM, on 5/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Sierra Wireless Inc\AirCard 555\Verizon\Components\SwiWiFiComm.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telog.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.telog.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\help\tours\windowsmediaplayer\cnt\contents.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM32\content.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AirCardEnabler] "C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HP Mobile Printing] C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O15 - Trusted Zone: http://*.hotmail.com
O15 - Trusted Zone: http://loginnet.passport.com
O15 - Trusted Zone: http://*.server4
O15 - Trusted Zone: http://dms.telog.com
O15 - Trusted Zone: http://www.telog.com
O15 - Trusted Zone: http://housecall.trendmicro.com
O16 - DPF: {2E1F8E94-B9A6-4D96-BE5D-38F69C13AC4B} (PCSWMMGraph.ctlGraph) - http://demo.craflowmonitoring.com/PCSWMM/PCSWMMGraph.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7C5A8649-B63F-4DB8-8F8C-D9DB55E9E158} (PCSWMMWebHGL.ctlHGL) - http://demo.craflowmonitoring.com/PCSWMM/PCSWMMWebHGL.CAB
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = telogvictor.com
O17 - HKLM\Software\..\Telephony: DomainName = telogvictor.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = telogvictor.com
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SwiWiFiComm - Unknown owner - C:\Program Files\Sierra Wireless Inc\AirCard 555\Verizon\Components\SwiWiFiComm.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe


Combo Fix also created a Quarantine log which I will also post just in case it will provide you with some useful info:


2004-12-29 16:12	  767	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\ADMINI~1\Desktop\Internet Explorer.lnk.vir
2007-04-21 15:01	  26694	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\rqrpqrs.dll.vir
2007-04-21 15:11	  281172	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\iiiij.dll.vir
2007-04-25 06:36	  32177	--a------	C:\Qoobox\Quarantine\C\Program Files\Common Files\Yazzle1122OinUninstaller.exe.vir
2007-05-02 21:49	  1407308	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\jiiii.bak1.vir
2007-05-03 21:52	  132660	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\xbkpkjiv.dll.vir
2007-05-05 20:35	  1511691	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\jiiii.ini.vir
2007-05-06 07:38	  1495591	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\jiiii.tmp.vir
2007-05-07 08:36	  1511903	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\jiiii.bak2.vir
2007-05-08 12:00	  1464144	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\vijkpkbx.ini.vir
2007-05-08 12:00	  49204	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\vydrkuqp.dll.vir
2007-05-08 12:04	  1516570	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\jiiii.ini2.vir


Folder PATH listing
Volume serial number is 0E8A-AD6E
C:\QOOBOX
+---purity
|   \---C
|	   +---DOCUME~1
|	   |   \---ADMINI~1
|	   |	   \---MYDOCU~1
|	   |		   \---MCROSO~1
|	   \---Program Files
|		   \---Common Files
|			   \---YSTEM~1
\---Quarantine
	+---C
	|   +---DOCUME~1
	|   |   \---ADMINI~1
	|   |	   \---Desktop
	|   |			   Internet Explorer.lnk.vir
	|   |			   
	|   +---Program Files
	|   |   \---Common Files
	|   |		   Yazzle1122OinUninstaller.exe.vir
	|   |		   
	|   \---WINDOWS
	|	   \---system32
	|			   iiiij.dll.vir
	|			   jiiii.bak1.vir
	|			   jiiii.bak2.vir
	|			   jiiii.ini.vir
	|			   jiiii.ini2.vir
	|			   jiiii.tmp.vir
	|			   rqrpqrs.dll.vir
	|			   vijkpkbx.ini.vir
	|			   vydrkuqp.dll.vir
	|			   xbkpkjiv.dll.vir
	|			   
	\---Registry_backups


Thank you again Richie.

Regards

Henry

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 08 May 2007 - 11:51 AM

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

***************************

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u1'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.

Your log is clean,hows your pc running now please.
Posted Image
Posted Image

#5 RamenRules

RamenRules
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 08 May 2007 - 01:02 PM

Richie,

Everything seems to be running fine. No more annoying pop ups and browser redirections. I assume it's ok to reenable the system restore? Also should I rename the Hijackthis executable back to what it was originally called?

Thank you once again for your assistance in cleaning up my laptop.

Henry

Edited by RamenRules, 08 May 2007 - 01:05 PM.


#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 08 May 2007 - 01:19 PM

You're welcome Henry :thumbsup:
If all's ok,please do the following:

Find and delete:
C:\QooBox

Turn 'System Restore' back on:
Right click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Unselect 'Turn Off System Restore On All Drives'.
Select 'Apply',then click 'Ok'.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

You can rename abc.bat back to hijackthis.exe if you wish,although we've done with it now.You might as well remove it via Start/Control Panel/Add or Remove Programs.

Edited by RichieUK, 08 May 2007 - 01:21 PM.

Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users