Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With 888toolbar?


  • Please log in to reply
2 replies to this topic

#1 Sevenart

Sevenart

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 27 May 2007 - 03:50 PM

ran spy bot S&D, it says I have 888toolbar or something, it couldnt remove it so I came here, heres my log;

Logfile of HijackThis v1.99.1
Scan saved at 4:38:49 PM, on 5/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\AlienGUIse\wbload.exe
F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\Program Files\OO Software\CleverCache\ooccag.exe
F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Windows Media Player\WMPNetwk.exe
F:\WINDOWS\System32\alg.exe
F:\WINDOWS\RTHDCPL.EXE
F:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\Gigabyte\ET5\GUI.exe
F:\WINDOWS\vsnpstd2.exe
F:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe
F:\Program Files\OO Software\CleverCache\OOCCCTRL.EXE
F:\WINDOWS\system32\ctfmon.exe
F:\program files\steam\steam.exe
F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
F:\Program Files\Logitech\MouseWare\system\em_exec.exe
F:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
F:\WINDOWS\system32\taskmgr.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\WINDOWS\system32\rundll32.exe
F:\PROGRA~1\MOZILL~1\FIREFOX.EXE
F:\Program Files\Ventrilo\Ventrilo.exe
F:\Program Files\mIRC\mirc.exe
F:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
F:\Program Files\Winamp\winamp.exe
F:\Program Files\FlashGet\flashget.exe
F:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - F:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [GBB36X Configure] F:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DiskeeperSystray] "F:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ATITool] "F:\Program Files\ATITool\ATITool.exe" -s
O4 - HKLM\..\Run: [CAVRID] "F:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [ATICCC] "F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [EasyTuneV] F:\Program Files\Gigabyte\ET5\GUI.exe
O4 - HKLM\..\Run: [SNPSTD2] F:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [SMSystemAnalyzer] "F:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [cctray] "F:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cftmon] F:\Program Files\Common Files\System\WinUpdate.exe
O4 - HKLM\..\Run: [OOCCCTRL.EXE] "F:\Program Files\OO Software\CleverCache\OOCCCTRL.EXE" /tasktray
O4 - HKLM\..\Run: [setup] rundll32.exe "F:\WINDOWS\system32\fgkkprwx.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "f:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "F:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - Startup: Adobe Gamma.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Save Flash In This Page - F:\PROGRA~1\FLASHS~1.5\save.htm
O8 - Extra context menu item: Download All by FlashGet - F:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - F:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - F:\PROGRA~1\FLASHS~1.5\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - F:\PROGRA~1\FLASHS~1.5\save.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - F:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149006256343
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - F:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CaCCProvSP - CA, Inc. - F:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
O23 - Service: Diskeeper - Diskeeper Corporation - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - F:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: O&O CleverCache Agent (OOCleverCacheAgent) - O&O Software GmbH - F:\Program Files\OO Software\CleverCache\ooccag.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - F:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - F:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1\RpcSandraSrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - F:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe

BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:25 PM

Posted 27 May 2007 - 04:02 PM

Hi Sevenart, :flowers:

We're studying your log and will be back to you a.s.a.p.

Thanks for your patience. :thumbsup:

#3 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:25 PM

Posted 01 June 2007 - 03:39 AM

Hi Sevenart, :thumbsup:

Welcome to BleepingComputer Forums and thanks for again for your patience.

1. Download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

2. Run HijackThis, click Scan and checkmark the following entries:

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [cftmon] F:\Program Files\Common Files\System\WinUpdate.exe
O4 - HKLM\..\Run: [setup] rundll32.exe "F:\WINDOWS\system32\fgkkprwx.dll",realset


Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

3. Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete the following folders in bold if they exist:

.......... and files in bold if they exist:

F:\WINDOWS\system32\ALCMTR.EXE
F:\Program Files\Common Files\System\WinUpdate.exe
F:\WINDOWS\system32\fgkkprwx.dll

4. Download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

5. You're using an outdated version of Java (latest one is Java Runtime Environment (JRE) 6u1). Older versions have vulnerabilities that malware can use to infect your system. Please update and remove the older versions. Do the following:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here:

    Java Runtime Environment (JRE) 6u1
6. Download Deckard's System Scanner and save it to your Desktop.

* Double click dss.exe and follow the prompts.
* When finished, it will produce a log for you.
* Post the contents of that log in your next reply.
* Using Windows Explorer (to get there right-click your Start button and go to "Explore"), navigate to the C:\Deckard\System Scanner folder. You will find two logs in the folder, main.txt and extra.txt.
* Open the main.txt log in Notepad
* Also Copy and Paste its contents in a reply.

Please reboot and post the DSS report together with C:\vundofix.txt and a fresh HijackThis log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users