• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
Sign in to follow this  
Followers 0
FullZombie

MySpace/AIM Virus

34 posts in this topic

My girlfriend was duped by the MySpace/AIM virus, and I'm trying to clean up her computer. I'm computer literate, with a working understanding of how things work, but I'm finding this virus fix a little too technical for me. Little help?

 

Here is the HijackThis log.

 

-----------------------------------------------------------------------------------------------

 

 

Logfile of HijackThis v1.99.1

Scan saved at 8:42:01 PM, on 5/13/2006

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\regsvr32.exe

C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\mHotkey.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\defender19a.exe

C:\WINDOWS\cfg32.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Ares\Ares.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\Documents and Settings\eMachines\Desktop\antiv\HijackThis.exe

C:\WINDOWS\cfg32a.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.play.net/dr/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\System32\hp44E8.tmp (file missing)

O2 - BHO: (no name) - {F065EED2-914D-456A-84DF-52E88BAAE029} - C:\Program Files\Common Files\horel.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [defender] C:\\defender19a.exe

O4 - HKLM\..\Run: [keyboard] C:\\keyboard19.exe

O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h

O4 - Global Startup: hp psc 1000 series.lnk = ?

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm

O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm

O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm

O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm

O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm

O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\program files\aim\aim.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Microsoft DLL Registration Component (DLLReg) - Unknown owner - C:\WINDOWS\regsvr32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

 

 

-----------------------------------------------------------------------------------------------

 

I believe that I have identified the following files as something to worry about.

 

C:\defender19a.exe

C:\WINDOWS\cfg32.exe

C:\WINDOWS\cfg32a.exe

 

Other things found by HijackThis have been identified as "nasty" as well. Basicly, I'm just looking for directions in layman's terms, so I can get this baddy off of my machine.

 

-Full Zombie

Share this post


Link to post
Share on other sites

That's not just one baddie. You've got a whole collection there.

 

How come no service packs on XP??

 

Let's start with the Alcra/Alcan worm

 

Please download Brute Force Uninstaller.

Unzip it to it’s own folder (c:\BFU)

 

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover. Save it in the folder you made earlier (c:\BFU).

 

Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

 

In the scriptline to execute field copy and paste c:\bfu\alcanshorty.bfu

Press execute and let it do it’s job.

 

Wait for the complete script execution box to pop up and press OK.

 

click "save"

 

IN "filename" enter log.txt

 

click exit to exit the BFU program.

 

Please copy the contents of the log.txt back here in your next reply. The log.txt will be in the C:\BFU\ folder ...

Share this post


Link to post
Share on other sites

BTW, HijackThis only sees the "tip of the iceberg" and doesn't scan the enitre system. I would not rely on what you find in that log to tell you everything.

 

Next step is to go to your Control Panel and find the following in the list:

 

New.Net (or NewDotNet)

 

Highlight it and remove the program from there.

 

Any other removal method could cause you to lose internet connectivity.

 

I'll wait for the BFU logs before going on to the next step (this PC also has the Smitfraud pest)

Share this post


Link to post
Share on other sites

First I do want to mention that I ran SpybotSD since I posted originally (at the suggestion of HijackThis), and I think it fixed -some- of the problem, but clearly didn't fix all of it.

 

BFU log:

 

-----------------------------------------------------------------------------

 

 

BFU v1.00.9

Windows XP (WinNT 5.01.2600 )

Script started at 10:06:14 PM, on 5/13/2006

 

Option Unload Explorer: Yes

Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found)

Failed: ServiceStop Network Monitor (service not found)

Failed: ServiceStop cmdService (service not found)

Failed: ServiceDisable Network Monitor (service not found)

Failed: ServiceDisable cmdService (service not found)

Failed: ServiceDelete Network Monitor (service not found)

Failed: ServiceDelete cmdService (service not found)

Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|p2pnetwork (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|winlog (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU1 (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU2 (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|services32 (key not found)

Option pause between commands: 300 ms

Option pause between commands: 50 ms

Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)

Failed: FolderDelete C:\Program Files\winupdates (folder not found)

Failed: FolderDelete C:\Program Files\winupdate (folder not found)

Failed: FolderDelete C:\Program Files\winsupdater (folder not found)

Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)

Failed: FolderDelete C:\Program Files\MsMovies (folder not found)

Failed: FolderDelete C:\Program Files\wmplayer (folder not found)

Failed: FolderDelete C:\Program Files\outlook (folder not found)

Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)

Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)

Failed: FileDelete C:\DOCUME~1\EMACHI~1\LOCALS~1\Temp\~DF383E.tmp (operation failed)

Failed: FileDelete C:\DOCUME~1\EMACHI~1\LOCALS~1\Temp\~DF467B.tmp (operation failed)

Failed: FileDelete C:\WINDOWS\Temp\Perflib_Perfdata_680.dat (operation failed)

Failed: FileDelete C:\WINDOWS\Temp\Perflib_Perfdata_6d4.dat (operation failed)

Failed: FolderDelete C:\WINDOWS\Temp\_avast4_ (operation failed)

Failed: FolderDelete C:\Documents and Settings\eMachines\Local Settings\Temporary Internet Files\Content.IE5\RJTUVNXP (operation failed)

Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)

Failed: FolderDelete C:\Program Files\DNS (folder not found)

Failed: FolderDelete C:\Program Files\EQAdvice (folder not found)

Failed: FolderDelete C:\Program Files\FCAdvice (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found)

Failed: FolderDelete C:\Program Files\InetGet2 (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found)

Failed: FolderDelete C:\Program Files\Network Monitor (folder not found)

Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found)

Failed: FolderDelete C:\Program Files\Update06 (folder not found)

Failed: FolderDelete C:\Program Files\Update03 (folder not found)

Failed: FolderDelete C:\Program Files\Update04 (folder not found)

Failed: FolderDelete C:\Program Files\Update08 (folder not found)

Failed: FolderDelete C:\Program Files\W-Update (folder not found)

Failed: FolderDelete C:\Program Files\Yazzle Sudoku (folder not found)

Failed: FolderDelete C:\Program Files\Cas (folder not found)

Failed: FolderDelete C:\Program Files\CasStub (folder not found)

Failed: FolderDelete C:\Program Files\Cas2Stub (folder not found)

Failed: FolderDelete C:\Program Files\ipwins (folder not found)

Failed: FolderDelete C:\temp (folder not found)

Failed: FolderCreate C:\bintheredunthat (folder already exists)

Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found)

Script completed.

 

 

-----------------------------------------------------------------------------

 

Also, when you say go to the "Control Panel" and find New.Net (or NewDotNet) and remove it, do you mean that I should go into the Add/Remove Programs section of the Control Panel? Because I'm not seeing it there. However SpybotSD did claim to have removed NewDotNet, so it may be gone already. Right?

 

-Full Zombie

Share this post


Link to post
Share on other sites
Also, when you say go to the "Control Panel" and find New.Net (or NewDotNet) and remove it, do you mean that I should go into the Add/Remove Programs section of the Control Panel? Because I'm not seeing it there. However SpybotSD did claim to have removed NewDotNet, so it may be gone already. Right?

 

-Full Zombie

Yes, sorry, is listed in Add/Remove programs within the Control Panel

 

Is it listed there?

 

If not, I think we need a new HijackThis log after a reboot because the log you first posted had a lot of entries still in it that may now be gone because of the run you did with Spybot or other programs.

 

The BIG question is...did you also run Adaware?

Share this post


Link to post
Share on other sites

No, there's nothing overtly odd in the Add/Remove programs. And no, I didn't run Adaware. I'll reboot right now and rerun HijackThis and post another log.

 

-Full Zombie

Share this post


Link to post
Share on other sites

Here is the HiJackThis log.

 

Logfile of HijackThis v1.99.1

Scan saved at 10:30:48 PM, on 5/13/2006

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\regsvr32.exe

C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\mHotkey.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\cfg32.exe

C:\Program Files\Ares\Ares.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\WINDOWS\cfg32a.exe

C:\Documents and Settings\eMachines\Desktop\antiv\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.play.net/dr/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\System32\hp44E8.tmp (file missing)

O2 - BHO: (no name) - {F065EED2-914D-456A-84DF-52E88BAAE029} - C:\Program Files\Common Files\horel.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h

O4 - Global Startup: hp psc 1000 series.lnk = ?

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm

O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm

O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm

O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm

O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm

O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\program files\aim\aim.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Microsoft DLL Registration Component (DLLReg) - Unknown owner - C:\WINDOWS\regsvr32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

 

-Full Zombie

Share this post


Link to post
Share on other sites

In case you hadn't noticed this is the Lavasoft Support Forum (maker of Adaware)

 

HijackThis is not a standalone removal tool and it doesn't scan the entire system, nor is it intended as a fix tool (not the silver bullet) nor the first tool you should be using.

 

This Hijackthis forum is to assist Adaware users who have new variants of nasties not detected by that program.

 

Could you first please follow these directions and post your Adaware log for review? Be sure to update it first because new updates were for the Smitfraud infection you had (and others) that I see in your HijackThis log - most of the active infection cleaned up. The Adaware logs can be very long so put the log into a zip file and attach it (as an attachment) to your next reply rather than trying to copy and paste it all in.

 

Please can you make sure that you are using

Ad-aware SE Build 106r1

Note: If your version is 6.0 and not the SE, you need to uninstall and get the latest version from the above link.

 

[if not Uninstall your old Ad-aware first then install SE]

Then use the WebUpDate

to get the latest Definition file

SE1R107 09.05.2006

To do this Open Ad-aware

Click the WebUpDate

button at the top right hand side of the Ad-aware screen (The world globe).

Click "Connect"

Ad-aware will then download the latest Definition file for you.

To make sure it is updated , look at the main

Ad-aware screen, and look under "Initialization Status"

It should say the Latest Definition file.

then scan doing a "Full Scan" and then post your logfile here by using the Add-Reply Feature .

As Logs are stored in :

C:\Documents and Settings\USERNAME\Application Data\Lavasoft\Ad-aware\Logs\.

An easy way to get there is to

click Start,

click Run

And type in and press ENTER: %appdata%

then click Lavasoft

then Ad-Aware

and then Logs.

scroll down to find the latest one that you have

(by date & time)

and open it right Click select all

copy and then paste the contents of it here.

(Make sure that all of your Logfile has been posted, sometimes it will require two post's to get it all)

I recommend that you use the WebUpDate just before you scan that way you will always be up to date.

 

(note The Application Data is a hidden folder, so you will need to show hidden files and folders.

Share this post


Link to post
Share on other sites

Also, you didn't answer my question about: How come no service packs on XP??

Share this post


Link to post
Share on other sites

This computer was just recently purchased, and I haven't been really using it (like I said, it's the girlfriends now). I really didn't think about the service packs, because my computer downloads them automatically (and I've never had a virus, because I don't click on anything I don't recognize). However now I realize that this PC needs a little TLC in the way of updates, which I will be doing as soon as I can. Right now I'm having trouble keeping it online, because popups keep storming the screen. Most of my correspondence up to this point has been from my PC, while I keep jumping from chair to chair to try and fix hers.

 

-Full Zombie

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 11:28:13 PM, on 5/13/2006

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\regsvr32.exe

C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\mHotkey.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\cfg32.exe

C:\Program Files\Ares\Ares.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\WINDOWS\cfg32a.exe

C:\Documents and Settings\eMachines\Desktop\antiv\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.play.net/dr/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\System32\hp44E8.tmp (file missing)

O2 - BHO: (no name) - {F065EED2-914D-456A-84DF-52E88BAAE029} - C:\Program Files\Common Files\horel.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h

O4 - Global Startup: hp psc 1000 series.lnk = ?

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm

O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm

O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm

O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm

O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm

O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\program files\aim\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Microsoft DLL Registration Component (DLLReg) - Unknown owner - C:\WINDOWS\regsvr32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

 

----------------------------------------------------------------------------------------------------

 

I still see cfg32a.exe. Am I right that this is a bad one?

 

-Full Zombie

Share this post


Link to post
Share on other sites

Well, it looks like you went off to bed, Not surprising seeing the time. I'll check back tomorrow, but I can tell you for certain right now that I still have whichever part of the infection that causes popup adds to swarm my screen whenever I open the internet. Whatever help you can offer at whatever time will be great.

 

-Full Zombie

Share this post


Link to post
Share on other sites

cfg32a.exe is likely a worm but isn't the only infection showing

 

 

1. Print out or save to notepad these instructions as we will need to do most steps offline and in SAFE MODE (so you won't have this window open to see the instruction from)

 

2. Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

 

3 Download, install, and update Ewido AntiMalware (get the free trial version)

http://www.ewido.net/en/download/

 

a. Install Ewido AntiMalware

 

b. Launch Ewido, there should be a big yellowE icon on your desktop, double-click it.

 

c. The program will prompt you to update click the OK button

 

d. The program will now go to the main screen

 

e. On the left hand side of the main screen click on Update

 

f. Click on Start. The update will start and a progress bar will show the updates being installed.

 

g. Do not scan yet. We'll do that later in SAFE MODE. After updating close Ewido and any open programs.

 

4. Reboot into Safe Mode

How to start the computer in Safe mode

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

5. Once in safe mode, start Ewido AntiMalware

 

a. Click on scanner

 

b. Click on *complete system scan*

 

c. Let the program scan the machine.

 

d. While the scan is in progress you will be prompted to clean the first infected file it finds. Choose Remove, then put a check next to Perform action on all infections in the left corner of the box so you don't have to sit and watch Ewido the whole time.

Checkmark the box: *Create encrypted backup in the quarantine* (recommended)

 

Click OK.

 

When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

 

 

6. Open the SmitfraudFix folder and double-click smitfraudfix.cmd

 

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

 

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

........................

7. Reboot back to normal mode.

 

8. Get a free online AV scan at Panda's ActiveScan

Let it remove any infected files found, and when it finishes save the log at the end to post back here.

 

Panda's Active Scan

http://www.pandasoftware.com/activescan/co...n_principal.htm

(Don't forget to *save report* at the end. We need you to post a copy with your topic reply)

 

9. Now please scan with HijackThis to produce a log. Post that log into your topic along with the Ewido log you saved earlier and the Panda report.

 

Logs needed in your next post are:

 

rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed

 

Ewido Scan report

 

Panda ActiveScan report

 

Fresh HijackThis log

Share this post


Link to post
Share on other sites

Okay, the HijackThis log did not get attached for some reason. Here it is.

 

--------------------------------------------------------------------------------

 

Logfile of HijackThis v1.99.1

Scan saved at 8:44:13 PM, on 5/14/2006

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\ewido anti-malware\ewidoguard.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\mHotkey.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\cfg32.exe

C:\Program Files\Ares\Ares.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\cfg32a.exe

C:\Program Files\Avant Browser\avant.exe

C:\Documents and Settings\eMachines\Desktop\antiv\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfg32p.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll

O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll

O2 - BHO: (no name) - {F065EED2-914D-456A-84DF-52E88BAAE029} - C:\Program Files\Common Files\horel.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h

O4 - Global Startup: hp psc 1000 series.lnk = ?

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm

O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm

O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm

O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm

O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm

O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\program files\aim\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Microsoft DLL Registration Component (DLLReg) - Unknown owner - C:\WINDOWS\regsvr32.exe (file missing)

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

 

--------------------------------------------------------------------------------

 

-Full Zombie

Share this post


Link to post
Share on other sites

Oh, I downloaded and installed all of the updates for XP that I needed (I think) and set the computer to auto-update just like mine. I did this after I got all those logs, though. Will I need new logs, or will those be fine?

 

-Full Zombie

Share this post


Link to post
Share on other sites

Those logs will be fine for now - give me a little to review them and I'll reply back here in just a bit.

 

And no, I didn't need you to pay Panda to disinfect, I just wanted to get the log it creates to see what it found. Many times the files can be removed manually or with other tools :)

 

Pasting in the other reports for easier reading:

SmitFraudFix v2.44

 

Scan done at 19:55:51.56, Sun 05/14/2006

Run from C:\Documents and Settings\eMachines\Desktop\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600]

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

---------------------------------------------------------

ewido anti-malware - Scan report

---------------------------------------------------------

 

+ Created on: 7:54:59 PM, 5/14/2006

+ Report-Checksum: A49F7A6C

 

+ Scan result:

 

C:\bintheredunthat\Tagasaurus.exe -> Dropper.Agent.hl : Cleaned with backup

C:\Documents and Settings\eMachines\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup

C:\Documents and Settings\eMachines\Cookies\[email protected][2].txt -> TrackingCookie.Specificclick : Cleaned with backup

C:\Documents and Settings\eMachines\Cookies\[email protected][2].txt -> TrackingCookie.Searchingbooth : Cleaned with backup

C:\Documents and Settings\eMachines\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned with backup

C:\Documents and Settings\eMachines\Cookies\[email protected][1].txt -> TrackingCookie.Casalemedia : Cleaned with backup

C:\Documents and Settings\eMachines\Cookies\[email protected][1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup

C:\Documents and Settings\eMachines\Cookies\[email protected][1].txt -> TrackingCookie.Com : Cleaned with backup

C:\Documents and Settings\eMachines\Cookies\[email protected][2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup

C:\Documents and Settings\eMachines\Cookies\[email protected][1].txt -> TrackingCookie.Top-banners : Cleaned with backup

C:\Documents and Settings\eMachines\Cookies\emachines@##nospam.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup

C:\Documents and Settings\eMachines\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup

C:\Documents and Settings\eMachines\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup

C:\Documents and Settings\eMachines\Cookies\[email protected][1].txt -> TrackingCookie.Popuptraffic : Cleaned with backup

C:\Documents and Settings\eMachines\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned with backup

C:\Documents and Settings\eMachines\Cookies\[email protected][1].txt -> TrackingCookie.Adtrak : Cleaned with backup

C:\Documents and Settings\eMachines\Cookies\[email protected][1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup

C:\Documents and Settings\eMachines\Local Settings\Temporary Internet Files\Content.IE5\RJTUVNXP\wallpap[1].exe -> Hijacker.Agent.gp : Cleaned with backup

C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup

C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt -> TrackingCookie.Top-banners : Cleaned with backup

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\BYVX7K3H\drsmartload45a[1].exe -> Downloader.Adload.bj : Cleaned with backup

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\HOQGD751\defender19a[1].exe -> Hijacker.VB.nh : Cleaned with backup

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\HOQGD751\Tagasaurus[1].exe -> Dropper.Agent.hl : Cleaned with backup

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NN163C7U\keyboard19[1].exe -> Downloader.VB.ys : Cleaned with backup

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NN163C7U\NNSCAA638[1].EXE -> Adware.NewDotNet : Cleaned with backup

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ZUHAOAD0\drsmartload46a[1].exe -> Downloader.Adload.bi : Cleaned with backup

C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup

C:\Program Files\Common Files\horel.dll -> Downloader.Small.ctp : Cleaned with backup

C:\Program Files\Snowball Wars\SnowballWars.exe -> Dropper.VB.mz : Cleaned with backup

C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup

C:\WINDOWS\regsvr32.exe -> Backdoor.SdBot.aad : Cleaned with backup

C:\WINDOWS\system32\ad.html -> Hijacker.Agent.e : Cleaned with backup

C:\WINDOWS\wallpap.exe -> Hijacker.Agent.gp : Cleaned with backup

 

 

::Report End

......................................

Panda ActiveScan

 

Incident Status Location

 

Spyware:Cookie/888 Not disinfected C:\Documents and Settings\eMachines\Cookies\[email protected][1].txt

Spyware:Cookie/888 Not disinfected C:\Documents and Settings\eMachines\Cookies\[email protected][2].txt

Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\eMachines\Cookies\[email protected][1].txt

Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\eMachines\Cookies\[email protected][1].txt

Spyware:Cookie/Allthatsearch Not disinfected C:\Documents and Settings\eMachines\Cookies\[email protected][1].txt

Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\eMachines\Cookies\[email protected][1].txt

Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\eMachines\Cookies\[email protected][2].txt

Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\eMachines\Cookies\[email protected][1].txt

Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\eMachines\Cookies\[email protected][1].txt

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\eMachines\Desktop\SmitfraudFix\SmitfraudFix\Process.exe

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\eMachines\Desktop\SmitfraudFix.zip[smitfraudFix/Process.exe]

Adware:Adware/Deskwizz Not disinfected C:\WINDOWS\system32\VSL03.exe[VSL.dl_]

Share this post


Link to post
Share on other sites

First, please find all of these files and put into a zip file.

C:\WINDOWS\cfg32p.dll

C:\WINDOWS\cfg32r.dll

C:\WINDOWS\cfg32o.dll

C:\WINDOWS\cfg32s.dll

C:\WINDOWS\cfg32.exe

 

Rightclick on the zip file and encrpyt (give it a password) of: infected. Then email to me {Edit: email addy removed as no longer needed}

I need to get those analyzed and submitted to Antimalware programs depending what it is, as nothing we have used is detecting it.

Share this post


Link to post
Share on other sites

I also found these:

 

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\BYVX7K3H\cfg32[1]

C:\WINDOWS\cfg32a

 

Both are .exe's, I think, and the first of the two is in a hidden folder with a number of other odd files (some are HTML files), one of which containing profanity in the filename, which I found strange. Would you like me to add any of these to that ZIP file as well?

 

-Full Zombie

Share this post


Link to post
Share on other sites
Rightclick on the zip file and encrpyt (give it a password) of: infected.

 

I don't seem to have an encypting option when I right click the ZIP file.

 

-Full Zombie

Share this post


Link to post
Share on other sites

Oh, sorry. In XP, it's: select the .zip file, and do File / Add a password. Make the password: infected.

 

Include this file, yes:

C:\WINDOWS\cfg32a

 

But not this one (that's in your cache/Temporary Internet files)

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\BYVX7K3H\cfg32[1]

Share this post


Link to post
Share on other sites

As expected, this appears to be a new variant or variation of the parasite: BookedSpace

The exe at least is new to me and not many scanners are recognizing it. I'll get out to all the AntiMalware companies for detection.

 

Complete scanning result of "cfg32.exe", received in VirusTotal at 05.15.2006, 23:06:39 (CET).

 

Antivirus Version Update Result

AntiVir 6.34.1.27 05.15.2006 TR/Drop.Searchy.6

Avast 4.6.695.0 05.15.2006 no virus found

AVG 386 05.15.2006 no virus found

BitDefender 7.2 05.15.2006 no virus found

CAT-QuickHeal 8.00 05.15.2006 no virus found

ClamAV devel-20060426 05.15.2006 no virus found

DrWeb 4.33 05.15.2006 Adware.BookedSpace

eTrust-InoculateIT 23.72.8 05.14.2006 no virus found

eTrust-Vet 12.4.2209 05.15.2006 no virus found

Ewido 3.5 05.15.2006 no virus found

Fortinet 2.76.0.0 05.15.2006 no virus found

F-Prot 3.16c 05.15.2006 no virus found

Ikarus 0.2.65.0 05.15.2006 no virus found

Kaspersky 4.0.2.24 05.15.2006 no virus found

McAfee 4762 05.15.2006 potentially unwanted program Adware-BkdSpace

Microsoft 1.1372 05.13.2006 no virus found

NOD32v2 1.1539 05.15.2006 a variant of Win32/Adware.BkdSpace

Norman 5.90.17 05.15.2006 no virus found

Panda 9.0.0.4 05.15.2006 Suspicious file

Sophos 4.05.0 05.15.2006 no virus found

Symantec 8.0 05.15.2006 no virus found

TheHacker 5.9.7.143 05.15.2006 no virus found

UNA 1.83 05.15.2006 no virus found

VBA32 3.11.0 05.15.2006 suspected of Downloader.Small.103 (paranoid heuristics)

Aditional Information

File size: 2088960 bytes

MD5: b1d7c0430feb0528d839a4d99f52d18c

SHA1: ddbf47daaf522849f5bff093c0735c51f9cbdb5a

 

From the old DoxDesk database (older variant) but this describes what it is and does.

Database: BookedSpace

 

BookedSpace is an Internet Explorer Browser Helper Object used to show advertising.

Variants

 

BookedSpace/Remanent: early variant (around July 2003) with filename rem00001.dll, controlling server 66.225.192.199.

 

BookedSpace/BS2, BookedSpace/BS3, BookedSpace/BS4, BookedSpace/BS5: newer revisions (August 2003) with filename bs2.dll, bs3.dll, oo4.dll and bsx5.dll or bxxs5.dll, controlling server www.bookedspace.com.

Distribution

 

BookedSpace/Remanent is silently installed by MThree MP3 to WAV converter. BookedSpace/BS2, BS3 and BXXS5 are silently installed by versions of FreeWire and FreeMP3Player.

What it does

Advertising

 

Yes. BookedSpace can contact its controlling server when a new page is visited, which may direct it to open pop-up ads.

 

Privacy violation

Yes. When the controlling server is contacted, the URL of the current page is passed along with a user ID for tracking purposes.

 

Security issues

Yes. May download and install third-party software as directed by its controlling server. The later variants have been seen to install the BargainBuddy, nCase, MySearch/MyWay, TVMedia, DownloadWare and TopMoxie/eBates parasites.

Stability problems

 

Seems to stop IE address bar searches from working.

 

.......................................................

Make a copy of these instructions to have handy. This fix needs to be done with IE closed (and any other open windows...make sure ONLY HijackThis is open). Now close everything except Hijackthis

 

Do a *scan only* with HijackThis and when it finishes checkmark all of these entries:

 

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfg32p.dll

 

O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll

 

O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll

 

O2 - BHO: (no name) - {F065EED2-914D-456A-84DF-52E88BAAE029} - C:\Program Files\Common Files\horel.dll (file missing)

 

O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll

 

O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe

 

O23 - Service: Microsoft DLL Registration Component (DLLReg) - Unknown owner - C:\WINDOWS\regsvr32.exe (file missing)

 

Delete these files (and any other cfg32 files you found)

 

C:\WINDOWS\cfg32s.dll

 

C:\WINDOWS\cfg32.exe

 

C:\WINDOWS\regsvr32.exe

 

reboot

 

Scan again with HijackThis and post a fresh log please.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0