Sign in to follow this  
Turnitin23

TOO MANY POPUPS!!!!

Recommended Posts

Wow i think ive tried everything.And there are still popups everywhere. Heres my log

 

 

Logfile of HijackThis v1.99.1

Scan saved at 7:38:22 PM, on 9/25/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\Duce6.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\{B4FE4312-08A2-1033-1029-040624040001}\Update.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\crunner\cproc.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

C:\Program Files\Common Files\AOL\1124559215\ee\aolsoftware.exe

C:\WINDOWS\win32102-125840510.exe

C:\WINDOWS\sys11-1258405102.exe

C:\WINDOWS\sys011258405102-.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\mnnim.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe,xjumxgx.exe

O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - (no file)

O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll

O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll

O3 - Toolbar: Quick! - {4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2C} - blank (file missing)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - blank (file missing)

O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe

O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sys011258405102-] C:\WINDOWS\sys011258405102-.exe

O4 - HKLM\..\Run: [sys02258405102-1] C:\WINDOWS\sys02258405102-1.exe

O4 - HKLM\..\Run: [win32102-125840510] C:\WINDOWS\win32102-125840510.exe

O4 - HKLM\..\Run: [sys11-1258405102] C:\WINDOWS\sys11-1258405102.exe

O4 - HKLM\..\RunOnce: [wXsX56B0n] cmd /c IF EXIST "C:\WINDOWS\system32\iqqr.exe" del /s /q "C:\WINDOWS\system32\iqqr.exe"

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe

O4 - HKCU\..\Run: [rwiq] C:\PROGRA~1\COMMON~1\rwiq\rwiqm.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html

O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\pjtevvs.exe (file missing)

Share this post


Link to post
Share on other sites

Hi ,

 

This is a really ugly infection.

 

Apologies for the late reply, we've been quite swamped in here as you can probably see.

 

Are you still needing help?

 

I'm now subscribed to this topic so I will receive a notice from the board as soon as you reply, so I can be here much more quickly than it has taken to get to your new topic.

 

If you still need help, please post a fresh HijackThis log so I can see where you are at this point

Share this post


Link to post
Share on other sites

Yes i still need help heree is my new hi jack log

 

 

Thank you

 

 

Logfile of HijackThis v1.99.1

Scan saved at 9:09:44 PM, on 10/2/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\{B4FE4312-08A2-1033-1029-040624040001}\Update.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Common Files\AOL\1124559215\ee\aolsoftware.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\AIM\aim.exe

c:\program files\common files\aol\1124559215\ee\aexplore.exe

c:\documents and settings\all users\start menu\programs\startup\svchost.exe

C:\DOCUME~1\HP_Owner\MYDOCU~1\DOBE~1\ntvdm.exe

C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

C:\Program Files\limewire\limewire.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R3 - URLSearchHook: (no name) - {A2B3F416-6DF1-3801-ACAA-671347D93E9D} - C:\WINDOWS\system32\mbbrim.dll

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\mnnim.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe,xjumxgx.exe

O2 - BHO: (no name) - {73364D99-1240-4dff-B11A-67E448373048} - C:\WINDOWS\system32\ipv6monk.dll

O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - (no file)

O2 - BHO: (no name) - {A2B3F416-6DF1-3801-ACAA-671347D93E9D} - C:\WINDOWS\system32\mbbrim.dll

O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll

O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll

O3 - Toolbar: Quick! - {4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2C} - blank (file missing)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - blank (file missing)

O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe

O4 - HKLM\..\Run: [ms0605102-12584] C:\WINDOWS\ms0605102-12584.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [rwiq] C:\PROGRA~1\COMMON~1\rwiq\rwiqm.exe

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\bak\Ares.exe" -h

O4 - HKCU\..\Run: [srro] "C:\DOCUME~1\HP_Owner\MYDOCU~1\DOBE~1\ntvdm.exe" -vt yazb

O4 - HKCU\..\Run: [Cdrnfsco] C:\WINDOWS\system32\s?mbols\w?auclt.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: svchost.exe

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html

O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://cdn.drivecleaner.com/installdrivecleanerstart.cab

O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O20 - AppInit_DLLs:

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\pjtevvs.exe (file missing)

Share this post


Link to post
Share on other sites

Ok! Let's roll.

 

Start first with this tool:

 

1. Download this file - combofix.exe

http://download.bleepingcomputer.com/sUBs/combofix.exe

 

2. Double click on combofix.exe & follow the prompts.

 

Note: If you receive a popup with a Disclaimer, read that and answer Y for yes (or N for no)

Y is recommended (if you put N, the tool will exit without fixing and will remove the combofix file and folders)

 

Do NOT click on the window while the fix is running, because that will cause your system to hang and the fix to stall.

 

3. When finished, it shall produce a log for you. Post that log in your next reply

..................................

Note: It is very late in the evening here and I'm about to retire after a 15 hour day of doing this, but I will review replies to topics first thing in the morning.

Share this post


Link to post
Share on other sites

Sounds like these infections have done some damage in the registry.

 

Let's try this to see if the path variables are correct on your PC.

 

Download FIXPATH2.ZIP.

http://internet.cybermesa.com/~bstewart/files/fixpath2.zip

 

Extract the files to a folder in C:\, like C:\FIXPATH2.

 

RUNNING THE PROGRAM:

 

* Open a command prompt window by going to start > run and copy and type: cmd

In the command prompt, type: cd C:\ and press Enter

 

So you should get C:\>

 

Then type: cd FIXPATH2 and press Enter

 

So you should get: C:\>fixpath2

 

Then type: FIXPATH.EXE and press Enter

* It will display some preliminary information, and ask if it should continue and check for errors. Click Yes.

* If it successfully updates the Path value in the registry, you will need to

reboot for the change to take effect. !! This is really important !!

 

If the path values are already correct it will tell you.

Share this post


Link to post
Share on other sites

Can you pull up the Windows Task Manager (Ctrl>Alt>Del) and do you see cmd.exe in the running processes?

 

You can click on it and end task. See it that allows you to run the tool. If not, close out all programs and any open windows and reboot your computer. Then try again.

Share this post


Link to post
Share on other sites

Ok i clicked on combofix in safemode and here is the log

 

 

And i can finally access the task manager

 

 

 

HP_Owner - 06-10-03 16:04:57.09 Service Pack 2

ComboFix 06.09.28 - Running from: "C:\Documents and Settings\HP_Owner\Desktop"

 

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

Qoologic uninstaller found and executed. Registry entries fixed.

 

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\Duce6.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe

C:\WINDOWS\system32\aaa00000.sys

C:\WINDOWS\system32\bez6n4r21.exe

C:\WINDOWS\system32\n9nyb.exe

C:\WINDOWS\system32\tsuninst.exe

C:\WINDOWS\system32\WinNB58.dll

C:\WINDOWS\csvhost.exe

C:\WINDOWS\system32bez6n4r21.exe

C:\WINDOWS\system32ghynf.exe

C:\WINDOWS\system32n9nyb.exe

C:\WINDOWS\thiselt.exe

C:\WINDOWS\uninst104.exe

C:\WINDOWS\MirarSetup_876075.exe

C:\WINDOWS\Eim03.exe

C:\WINDOWS\uni_ehhhh.exe

C:\Program Files\Common Files\Yazzle1122OinAdmin.exe

C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe

C:\WINDOWS\uninstall_nmon.vbs

C:\Documents and Settings\LocalService\Application Data\NetMon

C:\Program Files\Common Files\misc002

C:\Program Files\Deskbar

C:\Program Files\Inetget2

C:\Program Files\msupdate

C:\WINDOWS\system32\crunner

C:\Program Files\Common Files\{B4FE4312-08A2-1033-1029-040624040001}

 

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

 

Folders Quarantined:

 

C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\SSTEM~1

C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\DOBE~1

C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\DOBE~1\ntvdm.exe

C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\DOBE~1\?dobe

C:\QooBox\Purity\WINDOWS\system32\SMBOLS~1

C:\QooBox\Purity\WINDOWS\system32\SMBOLS~1\w?auclt.exe

 

 

((((((((((((((((((((((((((((((( Files Created from 2006-09-03 to 2006-10-03 ))))))))))))))))))))))))))))))))))

 

 

2006-10-02 22:30 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys

2006-10-02 20:59 131,072 --a------ C:\WINDOWS\system32\mbbrim.dll

2006-10-02 20:56 0 --a------ C:\WINDOWS\system32\taskkill.exe

2006-10-02 20:56 0 --a------ C:\WINDOWS\b.exe

2006-09-29 20:32 89,304 --a------ C:\WINDOWS\z.exe

2006-09-29 20:32 63,192 --a------ C:\WINDOWS\system32\ipv6monk.dll

2006-09-27 09:33 56,024 --a------ C:\WINDOWS\system32\ipv6monl.dll

2006-09-27 09:33 18,432 --a------ C:\svhost.exe

2006-09-27 07:10 163,840 --a------ C:\WINDOWS\ms0605102-12584.exe

2006-09-25 16:20 163,840 --a------ C:\WINDOWS\sys0358405102-122006.exe

2006-09-19 18:39 32,768 --a------ C:\WINDOWS\azejcoue.exe

2006-09-19 18:26 32,768 --a------ C:\WINDOWS\efldnqym.exe

2006-09-19 18:23 163,840 --a------ C:\WINDOWS\ms05405102-12582006.exe

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2006-10-03 16:05 -------- d-a------ C:\Program Files\Common Files

2006-10-03 15:24 -------- d--h----- C:\Program Files\InstallShield Installation Information

2006-10-02 22:25 -------- d-------- C:\Program Files\WinRAR

2006-10-02 20:59 2 --a------ C:\WINDOWS\system32\wnstssv.exe

2006-09-29 20:55 -------- d-------- C:\Program Files\Mozilla Firefox

2006-09-27 15:11 -------- d-------- C:\Program Files\Internet Explorer

2006-09-27 15:07 -------- d-------- C:\Program Files\Ares

2006-09-27 01:17 -------- d-------- C:\Program Files\Common Files\rwiq

2006-09-26 23:25 -------- d-------- C:\Program Files\AIM

2006-09-26 20:23 -------- d-------- C:\Program Files\mIRC

2006-09-24 14:45 -------- d-------- C:\Program Files\xdcc klipper

2006-09-22 15:58 -------- d-------- C:\Program Files\PartyPoker

2006-09-22 15:58 -------- d-------- C:\Program Files\MailSkinner

2006-09-20 22:59 -------- d-------- C:\Program Files\CCleaner

2006-09-19 18:30 -------- d--h----- C:\Program Files\Common Files\cloader

2006-09-16 13:31 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\PlayFirst

2006-09-04 01:44 -------- d-------- C:\Program Files\AOD

2006-09-02 14:17 -------- d-------- C:\Program Files\AviSynth 2.5

2006-09-02 13:02 159744 --a------ C:\WINDOWS\win3208102-12584052006.exe

2006-08-31 15:11 -------- d-------- C:\Program Files\MSN

2006-08-31 15:11 -------- d-------- C:\Program Files\Messenger

2006-08-30 15:21 678912 --a------ C:\WINDOWS\is-3CD0P.exe

2006-08-30 15:20 -------- d-------- C:\Program Files\ComPlus Applications

2006-08-30 15:10 -------- d-------- C:\Program Files\Lavasoft

2006-08-30 15:10 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\Lavasoft

2006-08-30 13:52 8464 --a------ C:\WINDOWS\system32\sporder.dll

2006-08-30 13:48 186219 --a------ C:\WINDOWS\srvnhojrwr.exe

2006-08-30 13:48 146 --a------ C:\WINDOWS\file.bat

2006-08-30 13:47 45056 --a------ C:\WINDOWS\system32fufudc.exe

2006-08-30 13:47 28672 --a------ C:\WINDOWS\system32ra8pv.exe

2006-08-30 13:47 28672 --a------ C:\WINDOWS\system32\ra8pv.exe

2006-08-30 13:47 215308 --a------ C:\WINDOWS\Setup90.exe

2006-08-30 13:47 1233 --a------ C:\WINDOWS\system32\mpwc79a3.sys

2006-08-30 13:46 186223 --a------ C:\WINDOWS\srvgtgvcqy.exe

2006-08-30 13:45 365568 --a------ C:\814.exe

2006-08-30 13:45 32768 --a------ C:\WINDOWS\unstall.exe

2006-08-30 13:45 215308 --a------ C:\WINDOWS\srvsqyjzfw.exe

2006-08-26 01:59 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\vlc

2006-08-26 01:47 -------- d-------- C:\Program Files\VideoLAN

2006-08-22 17:27 -------- d-------- C:\Program Files\LimeWire

2006-08-07 11:17 61440 --a------ C:\WINDOWS\system32\BattyRun2.dll

2006-07-31 12:10 1142784 --a------ C:\WINDOWS\system32\kcnzrop6.exe

2006-07-31 12:09 24576 --a------ C:\WINDOWS\system32\ewxcksr.exe

2006-07-25 14:49 256000 --a------ C:\WINDOWS\system32\avrucdnit.exe

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

"rwiq"="C:\\PROGRA~1\\COMMON~1\\rwiq\\rwiqm.exe"

"ares"="\"C:\\Program Files\\Ares\\bak\\Ares.exe\" -h"

"Srro"="\"C:\\DOCUME~1\\HP_Owner\\MYDOCU~1\\DOBE~1\\ntvdm.exe\" -vt yazb"

"Cdrnfsco"="C:\\WINDOWS\\system32\\s?mbols\\w?auclt.exe"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Microsoft Windows Logon Process"="C:\\WINDOWS\\winlogon.exe"

"ms0605102-12584"="C:\\WINDOWS\\ms0605102-12584.exe"

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000005

"Settings"=dword:00000001

"GeneralFlags"=dword:00000000

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="C:\\Program Files\\Messenger\\kyzeq.html"

"SubscribedURL"=""

"FriendlyName"=""

"Flags"=dword:00002000

"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\

03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00

"CurrentState"=hex:01,00,00,40

"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\

00,00,01,00,00,00

"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]

"Source"="C:\\Program Files\\MSN\\howynyj.html"

"SubscribedURL"=""

"FriendlyName"=""

"Flags"=dword:00002000

"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\

03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00

"CurrentState"=hex:01,00,00,40

"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\

00,00,01,00,00,00

"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]

"Source"="http://www.angelkizz.net/graphics/cursors/butterfly/2.gif"

"SubscribedURL"="http://www.angelkizz.net/graphics/cursors/butterfly/2.gif"

"FriendlyName"=""

"Flags"=dword:00000001

"Position"=hex:2c,00,00,00,a3,01,00,00,25,00,00,00,a2,00,00,00,98,00,00,00,ec,\

03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00

"CurrentState"=hex:01,00,00,00

"OriginalStateInfo"=hex:18,00,00,00,d3,03,00,00,70,01,00,00,20,00,00,00,20,00,\

00,00,01,00,00,40

"RestoredStateInfo"=hex:14,6d,be,07,41,c0,b4,74,d0,50,37,07,68,de,be,07,20,6d,\

be,07,81,65,00,00

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\3]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

"Flags"=dword:00000002

"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3c,02,00,00,00,\

00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00

"CurrentState"=hex:04,00,00,40

"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\

ff,ff,04,00,00,00

"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\

00,00,01,00,00,00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]

"dontdisplaylastusername"=dword:00000000

"legalnoticecaption"=""

"legalnoticetext"=""

"shutdownwithoutlogon"=dword:00000001

"undockwithoutlogon"=dword:00000001

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

"wininet.dll"="mscornet.exe"

"nvctrl.exe"="nvctrl.exe"

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

 

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

 

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders

securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

 

 

Completion time: Tue 10/03/2006 16:06:39.23

ComboFix.txt

Share this post


Link to post
Share on other sites

Please go to your Control Panel and look in Add/Remove programs.

 

Find this in the list and highlight then press remove:

MailSkinner

 

That little nasty installs all sorts of crap on your computer and some of it hidden from Windows in a rootkit.

Stay away from that "free" program and any others that offer to add cool smilies and other things to your email. You may end up with more than you bargained for as in this case.

 

So, that's progress with the ComboFix but there is more work to do.

 

Post a report from this tool

 

Download the free beta trial of this tool from F-Secure called Blacklight

F-Secure Blacklight:

https://europe.f-secure.com/blacklight/try.shtml

Doubleclick on bibeta.exe to run it.

Click the *I accept* button near the bottom of that page.

Download and run blacklite click > scan then > next, next again then exit

there will be a new text file near blacklite.Post it please. The text file is named:

fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)

!!Do not rename any files yet

Share this post


Link to post
Share on other sites

And here is the next step:

 

1. Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

 

How to extract (decompress) zipped or compressed files

http://www.lvsonline.com/compresstut/index.shtml

 

Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

 

 

2. Reboot into Safe Mode

You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

 

How to start the computer in Safe mode

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

3. Once in Safe mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

 

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

 

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

 

4. Once back into normal mode, please scan with HijackThis to produce a log. Post that log into your topic along with the other requested logs named below.

 

Logs needed in your next post are:

 

rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed

 

Fresh HijackThis log

Share this post


Link to post
Share on other sites

Ok i didnt find a mailskinner in the add/remove programs page, but i did find the folder and deleted that. As for the Blacklight here is the log:

 

 

10/03/06 19:47:29 [info]: BlackLight Engine 1.0.47 initialized

10/03/06 19:47:29 [info]: OS: 5.1 build 2600 (Service Pack 2)

10/03/06 19:47:29 [Note]: 7019 4

10/03/06 19:47:29 [Note]: 7005 0

10/03/06 19:47:41 [Note]: 7006 0

10/03/06 19:47:41 [Note]: 7011 1388

10/03/06 19:47:41 [Note]: 7026 0

10/03/06 19:47:41 [Note]: 7026 0

10/03/06 19:47:45 [Note]: FSRAW library version 1.7.1020

10/03/06 19:53:26 [Note]: 2000 1012

10/03/06 19:56:02 [Note]: 7007 0

Share this post


Link to post
Share on other sites

hijack Log:

 

Logfile of HijackThis v1.99.1

Scan saved at 8:09:27 PM, on 10/3/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\AOL\1124559215\ee\aolsoftware.exe

C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe

 

R3 - URLSearchHook: (no name) - {A2B3F416-6DF1-3801-ACAA-671347D93E9D} - C:\WINDOWS\system32\mbbrim.dll

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {73364D99-1240-4dff-B11A-67E448373048} - C:\WINDOWS\system32\ipv6monk.dll

O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - (no file)

O2 - BHO: (no name) - {A2B3F416-6DF1-3801-ACAA-671347D93E9D} - C:\WINDOWS\system32\mbbrim.dll

O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe

O4 - HKLM\..\Run: [ms0605102-12584] C:\WINDOWS\ms0605102-12584.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [rwiq] C:\PROGRA~1\COMMON~1\rwiq\rwiqm.exe

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\bak\Ares.exe" -h

O4 - HKCU\..\Run: [srro] "C:\DOCUME~1\HP_Owner\MYDOCU~1\DOBE~1\ntvdm.exe" -vt yazb

O4 - HKCU\..\Run: [Cdrnfsco] C:\WINDOWS\system32\s?mbols\w?auclt.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html

O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://cdn.drivecleaner.com/installdrivecleanerstart.cab

O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab

O20 - AppInit_DLLs:

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\pjtevvs.exe (file missing)

 

 

 

 

And rapport.txt, I accidently did it twice, on the first one it deleted a lot of infected files. I guess the second log overwrote the first

sorry

:wub:

 

 

SmitFraudFix v2.104

 

Scan done at 20:04:25.84, Tue 10/03/2006

Run from C:\Documents and Settings\HP_Owner\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

Fix run in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

Share this post


Link to post
Share on other sites

You're doing great. :)

 

I don't think we need Fixpath at this point - that was to fix a possible problem running ComboFix. But we still have a ways to go -this was a severely infected computer with many different malwares :D

 

Make a copy of these instructions to have handy as some of these steps will need to be done in safe mode, and you won't be able to view this window.

 

1. Please download Brute Force Uninstaller to your desktop.

  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

2. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.

Save it in the same folder you made earlier (c:\BFU).

 

Do not do anything with these yet!

 

3. Reboot into Safe Mode

You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

 

How to start the computer in Safe mode

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

4. Once in safe mode,please go to Start > My Computer and navigate to the C:\BFU folder.

  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Checkmark the "Show log after script ends" box before running the program.
  • Behind the scriptline to execute field click the folder icon foldericon.png and select alcanshorty.bfu
  • Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • click "save"
    IN "filename" enter log.txt
  • click exit to exit the BFU program.

Please copy the contents of the log.txt back here in your next reply. The log.txt will be in the C:\BFU\ folder

 

5. Reboot back into normal mode

 

6. Now please scan with HijackThis to produce a log. Post that log into your topic along with the other requested logs named below.

 

Logs needed in your next post are:

 

log.txt will be in the C:\BFU\ folder

 

Fresh HijackThis log

 

Note: Don't worry if the BFU log says a lot of "failed" - it only shows what it did not find which is normal since it looks for a large amount of malware known to accompany this infection

Share this post


Link to post
Share on other sites

ok. Here is the BFU log :blink:

 

BFU v1.00.9

Windows XP SP2 (WinNT 5.01.2600 SP2)

Script started at 2:50:30 PM, on 10/4/2006

 

Option Unload Explorer: Yes

Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found)

Failed: DllUnregister C:\Program Files\Deskbar\deskbar.dll|1 (file not found)

Failed: DllUnregister \asappsrv.dll|1 (file not found)

Failed: ServiceStop Network Monitor (service not found)

Failed: ServiceStop cmdService (service not found)

Failed: ServiceDisable Network Monitor (service not found)

Failed: ServiceDisable cmdService (service not found)

Failed: ServiceDelete Network Monitor (service not found)

Failed: ServiceDelete cmdService (service not found)

Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)

Failed: RegDelValue HKCU\Microsoft\Windows\CurrentVersion\policies\Explorer\Run|WinUpdate.exe (key not found)

Option pause between commands: 300 ms

Option pause between commands: 50 ms

Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)

Failed: FolderDelete C:\Program Files\winupdates (folder not found)

Failed: FolderDelete C:\Program Files\winupdate (folder not found)

Failed: FolderDelete C:\Program Files\winsupdater (folder not found)

Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)

Failed: FolderDelete C:\Program Files\MsMovies (folder not found)

Failed: FolderDelete C:\Program Files\wmplayer (folder not found)

Failed: FolderDelete C:\Program Files\outlook (folder not found)

Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)

Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)

Failed: FolderDelete C:\Program Files\MediaPipe (folder not found)

Failed: FolderDelete C:\Program Files\p2pnetworks (folder not found)

Failed: FileDelete C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\~DFC4AE.tmp (operation failed)

Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)

Failed: FolderDelete C:\Program Files\DNS (folder not found)

Failed: FolderDelete C:\Program Files\EQAdvice (folder not found)

Failed: FolderDelete C:\Program Files\FCAdvice (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\svchostsys (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\simtest (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\misc001 (folder not found)

Failed: FolderDelete C:\Program Files\InetGet2 (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found)

Failed: FolderDelete C:\Program Files\Network Monitor (folder not found)

Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found)

Failed: FolderDelete C:\Program Files\Update06 (folder not found)

Failed: FolderDelete C:\Program Files\Update03 (folder not found)

Failed: FolderDelete C:\Program Files\Update04 (folder not found)

Failed: FolderDelete C:\Program Files\Update08 (folder not found)

Failed: FolderDelete C:\Program Files\W-Update (folder not found)

Failed: FolderDelete C:\Program Files\Yazzle Sudoku (folder not found)

Failed: FolderDelete C:\Program Files\Cas (folder not found)

Failed: FolderDelete C:\Program Files\CasStub (folder not found)

Failed: FolderDelete C:\Program Files\Cas2Stub (folder not found)

Failed: FolderDelete C:\Program Files\ipwins (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\Snowball Wars (folder not found)

Failed: FolderDelete C:\WINDOWS\mdrive (folder not found)

Failed: FolderDelete C:\WINDOWS\system32\crunner (folder not found)

Failed: FolderDelete C:\Program Files\PECarlin (folder not found)

Failed: FolderDelete C:\Program Files\AXVenore (folder not found)

Failed: FolderDelete C:\Program Files\SDVita (folder not found)

Failed: FolderDelete C:\Program Files\EQBranch (folder not found)

Failed: FolderDelete C:\Program Files\EQArticle (folder not found)

Failed: FolderDelete C:\Program Files\PSHope (folder not found)

Failed: FolderDelete C:\Program Files\Batty (folder not found)

Failed: FolderDelete C:\Program Files\Batty2 (folder not found)

Failed: FolderDelete C:\Program Files\AXFibula (folder not found)

Failed: FolderDelete C:\Program Files\CMFibula (folder not found)

Failed: FolderDelete C:\Program Files\PSLister (folder not found)

Failed: FolderDelete C:\Program Files\PSCloner (folder not found)

Failed: FolderDelete C:\Program Files\cmapp (folder not found)

Failed: FolderDelete C:\Program Files\cmman (folder not found)

Failed: FolderDelete C:\Program Files\cmsystem (folder not found)

Failed: FolderDelete C:\Program Files\fcengine (folder not found)

Failed: FolderDelete C:\Program Files\wincmapp (folder not found)

Failed: FolderDelete C:\Program Files\Deskbar\Cache (folder not found)

Failed: FolderDelete C:\Program Files\popupwithcast (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\misc001 (folder not found)

Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found)

Script completed.

 

 

 

and the hijacklog:

 

Logfile of HijackThis v1.99.1

Scan saved at 2:55:33 PM, on 10/4/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Ares\bak\Ares.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

C:\Program Files\Common Files\AOL\1124559215\ee\aolsoftware.exe

c:\program files\common files\aol\1124559215\ee\aexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe

 

R3 - URLSearchHook: (no name) - {A2B3F416-6DF1-3801-ACAA-671347D93E9D} - C:\WINDOWS\system32\mbbrim.dll

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {73364D99-1240-4dff-B11A-67E448373048} - C:\WINDOWS\system32\ipv6monk.dll

O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - (no file)

O2 - BHO: (no name) - {A2B3F416-6DF1-3801-ACAA-671347D93E9D} - C:\WINDOWS\system32\mbbrim.dll

O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe

O4 - HKLM\..\Run: [ms0605102-12584] C:\WINDOWS\ms0605102-12584.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [rwiq] C:\PROGRA~1\COMMON~1\rwiq\rwiqm.exe

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\bak\Ares.exe" -h

O4 - HKCU\..\Run: [srro] "C:\DOCUME~1\HP_Owner\MYDOCU~1\DOBE~1\ntvdm.exe" -vt yazb

O4 - HKCU\..\Run: [Cdrnfsco] C:\WINDOWS\system32\s?mbols\w?auclt.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html

O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://cdn.drivecleaner.com/installdrivecleanerstart.cab

O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab

O20 - AppInit_DLLs:

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\pjtevvs.exe (file missing)

Share this post


Link to post
Share on other sites

Sorry for the delay in replying. With the forums down, I could not get in until this afternoon.

 

Please open HijackThis, and do a *system scan only*

 

When it finishes, checkmark these entries, then press the *fix checked* button

 

R3 - URLSearchHook: (no name) - {A2B3F416-6DF1-3801-ACAA-671347D93E9D} - C:\WINDOWS\system32\mbbrim.dll

 

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

 

O2 - BHO: (no name) - {73364D99-1240-4dff-B11A-67E448373048} - C:\WINDOWS\system32\ipv6monk.dll

 

O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - (no file)

 

O2 - BHO: (no name) - {A2B3F416-6DF1-3801-ACAA-671347D93E9D} - C:\WINDOWS\system32\mbbrim.dll

 

O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe

 

O4 - HKLM\..\Run: [ms0605102-12584] C:\WINDOWS\ms0605102-12584.exe

 

O4 - HKCU\..\Run: [rwiq] C:\PROGRA~1\COMMON~1\rwiq\rwiqm.exe

 

O4 - HKCU\..\Run: [srro] "C:\DOCUME~1\HP_Owner\MYDOCU~1\DOBE~1\ntvdm.exe" -vt yazb

 

O4 - HKCU\..\Run: [Cdrnfsco] C:\WINDOWS\system32\s?mbols\w?auclt.exe

 

O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://cdn.drivecleaner.com/installdrivecleanerstart.cab

 

O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab

 

O20 - AppInit_DLLs:

 

O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\pjtevvs.exe (file missing)

.....................

delete these files and folder if found

 

C:\WINDOWS\winlogon.exe <---NOTE: do not confuse with the legitimate file winlogon.exe located in the System or Sytem32 folder. The "bad" one is located directly in the Windows folder.

 

C:\WINDOWS\ms0605102-12584.exe

 

C:\PROGRA~1\COMMON~1\rwiq (folder)

 

Reboot your PC.

 

Go to this file for HijackThis and we are going to rename it in case some entries are hiding

C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe <---right click on the file and choose *rename* from the menu that popsup. Rename the file to: HJT.exe

 

Then close out that windows. Open the newly renamed HJT.exe by doubleclicking on it to run it.

Do and scan and create a log file. Post the new log back here please.

Share this post


Link to post
Share on other sites

New Hijack LOg

 

Logfile of HijackThis v1.99.1

Scan saved at 10:29:36 PM, on 10/6/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Ares\bak\Ares.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

C:\Program Files\Common Files\AOL\1124559215\ee\aolsoftware.exe

c:\program files\common files\aol\1124559215\ee\aexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\HP_Owner\Desktop\HJT.exe.exe

 

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\bak\Ares.exe" -h

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html

O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Share this post


Link to post
Share on other sites

That looks pretty good! :rolleyes:

 

I think we got the active infections anyway. Because HijackThis doesn't scan the entire system, nor it is intended to clean like a scanner would....what Antispyware/Antimalware scanners have you used so far to clean with?

Share this post


Link to post
Share on other sites

Here it is are the stats :)

 

 

Scan Statistics

Total number of scanned objects 66352

Number of viruses found 49

Number of infected objects 519 / 0

Number of suspicious objects 0

Duration of the scan process 00:58:27

Share this post


Link to post
Share on other sites
Sign in to follow this