Please help - blackworm, tagasaurus, surfside [RESOLVED]

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

Please help - blackworm, tagasaurus, surfside [RESOLVED] hijackthis log here, ewido too

#1 01WhiteRanger

Group: Member
Posts: 14
Joined: 29-March 06

Posted 29 March 2006 - 07:45 PM

I have a pop up infected laptop. Please help, it is way beyond my capability to resolve.
Ewido log below
Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:23:49 PM, on 3/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\catanachs\My Documents\MyPrograms\HijackThis\2006\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ledgk.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,vyjjvju.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwaprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\o6rolg9316.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NICSer_WPC54GS - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe

Ewido:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:30:02 PM, 3/27/2006
+ Report-Checksum: 663E8D20

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{00000000-0000-0000-0000-000000000010} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{18C2FFB3-2CF1-8321-B820-911675DD61A5} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{19F352CA-1BB9-DD56-81EF-9595DD355FD0} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2FB2AF82-A6CB-27AE-14B6-70AF241F452D} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{45FD337F-A4F6-E717-BF97-16695299D817} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6EF0F034-C0DA-6CB6-18F6-2B49B1B81D7A} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{77F97E58-0CF0-BBFA-77B3-A2ECC3EB7B6D} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D4B62290-D1BC-E419-EF26-71766EF1A30E} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D596D1F8-059F-F74E-FC61-AC991196BA9D} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{EC085D8D-3FEA-2572-6960-792ABB62ABE6} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/istactivex.dll -> Adware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-1482476501-1935655697-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000000000010} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-1482476501-1935655697-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6001CDF7-6F45-471B-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-1482476501-1935655697-1060284298-1003\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-1482476501-1935655697-1060284298-1003\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
[1348] C:\WINDOWS\system32\serio800.dll -> Adware.Look2Me : Cleaned with backup
[1676] C:\WINDOWS\system32\bclccmg.dll -> Downloader.Qoologic.bj : Cleaned with backup
[1924] C:\WINDOWS\system32\bclccmg.dll -> Downloader.Qoologic.bj : Error during cleaning
[1952] C:\WINDOWS\system32\bclccmg.dll -> Downloader.Qoologic.bj : Error during cleaning
[1960] C:\WINDOWS\system32\bclccmg.dll -> Downloader.Qoologic.bj : Error during cleaning
[1972] C:\WINDOWS\system32\bclccmg.dll -> Downloader.Qoologic.bj : Error during cleaning
[420] C:\WINDOWS\system32\bclccmg.dll -> Downloader.Qoologic.bj : Error during cleaning
[492] C:\WINDOWS\system32\bclccmg.dll -> Downloader.Qoologic.bj : Error during cleaning
[2896] C:\WINDOWS\system32\bclccmg.dll -> Downloader.Qoologic.bj : Error during cleaning
[2644] C:\WINDOWS\system32\bclccmg.dll -> Downloader.Qoologic.bj : Error during cleaning
[2112] C:\WINDOWS\system32\bclccmg.dll -> Downloader.Qoologic.bj : Error during cleaning
C:\Documents and Settings\catanachs\Application Data\Sуmantec\dvdplay.exe -> Downloader.PurityScan.w : Cleaned with backup
C:\Documents and Settings\catanachs\Cookies\catanachs@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\catanachs\Cookies\catanachs@e-2dj6wfkisic5edo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\catanachs\Cookies\catanachs@e-2dj6wfkyskc5sao.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\catanachs\Cookies\catanachs@e-2dj6wfl4godjcbp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\catanachs\Cookies\catanachs@e-2dj6wflockazcko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\catanachs\Cookies\catanachs@e-2dj6wfmiugczwcp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\catanachs\Cookies\catanachs@e-2dj6wgkiuncpwho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\catanachs\Cookies\catanachs@e-2dj6wgkiwocpgbp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\catanachs\Cookies\catanachs@e-2dj6wgl4klcjeaq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\catanachs\Cookies\catanachs@e-2dj6wjkoakdpwhp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\catanachs\Cookies\catanachs@e-2dj6wjkysic5ilp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\catanachs\Cookies\catanachs@e-2dj6wjl4eid5oep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\catanachs\Cookies\catanachs@e-2dj6wjl4wpd5cdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\catanachs\Cookies\catanachs@e-2dj6wjlisoazoao.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\catanachs\Cookies\catanachs@e-2dj6wjnyaiazmhq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\catanachs\Cookies\catanachs@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup
C:\Documents and Settings\catanachs\Cookies\catanachs@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\catanachs\Cookies\catanachs@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\!update.exe -> Downloader.PurityScan.w : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\1.exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\Cookies\catanachs@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\Cookies\catanachs@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\Cookies\catanachs@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\Cookies\catanachs@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\Cookies\catanachs@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\Cookies\catanachs@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\Cookies\catanachs@clickbank[1].txt -> TrackingCookie.Clickbank : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\Cookies\catanachs@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\Cookies\catanachs@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\Cookies\catanachs@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\Cookies\catanachs@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\Cookies\catanachs@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\Cookies\catanachs@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\Cookies\catanachs@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\Cookies\catanachs@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\Cookies\catanachs@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\Cookies\catanachs@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\Cookies\catanachs@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\Cookies\catanachs@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\Cookies\catanachs@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\Cookies\catanachs@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\Cookies\catanachs@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\f6624906.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\F9A12.tmp/slk8x2peu.exe -> Adware.Suggestor : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\F9A12.tmp/faotvpap7.exe -> Trojan.Runner.h : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\i15.tmp -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\ICD1.tmp\UWA6P_0001_N68M2301NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\temp.fr3271 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\temp.fr7E2E\Programs\webhdll.dll -> Adware.WebHancer : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\temp.frA6C3 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\temp.frCAEA\Ssk.exe -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\temp.frE5C7\Ssk.exe -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temp\Temporary Internet Files\Content.IE5\SOD76WZJ\WinAntiVirusPro2006ScannerInstall[1].cab/UWA6P_0001_N68M2301NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temporary Internet Files\Content.IE5\A7M52XSP\AppWrap[1].exe -> Adware.Zestyfind : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temporary Internet Files\Content.IE5\W5AB0D2N\AppWrap[1].exe -> Adware.AdURL : Cleaned with backup
C:\Documents and Settings\catanachs\Local Settings\Temporary Internet Files\Content.IE5\W5ANC163\AppWrap[1].exe -> Adware.AdURL : Cleaned with backup
C:\RECYCLER\S-1-5-21-1482476501-1935655697-1060284298-1003\Dc19.exe -> Downloader.Adload.af : Cleaned with backup
C:\RECYCLER\S-1-5-21-1482476501-1935655697-1060284298-1003\Dc20.exe -> Downloader.VB.zg : Cleaned with backup
C:\RECYCLER\S-1-5-21-1482476501-1935655697-1060284298-1003\Dc22.exe -> Dropper.Agent.aie : Cleaned with backup
C:\RECYCLER\S-1-5-21-1482476501-1935655697-1060284298-1003\Dc23.exe -> Downloader.Agent.afi : Cleaned with backup
C:\RECYCLER\S-1-5-21-1482476501-1935655697-1060284298-1003\Dc24.EXE -> Adware.NewDotNet : Cleaned with backup
C:\RECYCLER\S-1-5-21-1482476501-1935655697-1060284298-1003\Dc26.exe -> Adware.ZenoSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-1482476501-1935655697-1060284298-1003\Dc27.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\RECYCLER\S-1-5-21-1482476501-1935655697-1060284298-1003\Dc28.exe -> Dropper.Agent.hl : Cleaned with backup
C:\RECYCLER\S-1-5-21-1482476501-1935655697-1060284298-1003\Dc33.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\RECYCLER\S-1-5-21-1482476501-1935655697-1060284298-1003\Dc35.exe -> Downloader.VB.zl : Cleaned with backup
C:\RECYCLER\S-1-5-21-1482476501-1935655697-1060284298-1003\Dc36.exe -> Downloader.TSUpdate.o : Cleaned with backup
C:\RECYCLER\S-1-5-21-1482476501-1935655697-1060284298-1003\Dc38.exe -> Downloader.Adload.ae : Cleaned with backup
C:\RECYCLER\S-1-5-21-1482476501-1935655697-1060284298-1003\Dc43.exe -> Adware.NewDotNet : Cleaned with backup
C:\RECYCLER\S-1-5-21-1482476501-1935655697-1060284298-1003\Dc49.exe -> Adware.AdURL : Cleaned with backup
C:\RECYCLER\S-1-5-21-1482476501-1935655697-1060284298-1003\Dc56.dll -> Adware.Look2Me : Cleaned with backup
C:\RECYCLER\S-1-5-21-1482476501-1935655697-1060284298-1003\Dc57.dll -> Adware.Look2Me : Cleaned with backup
C:\RECYCLER\S-1-5-21-1482476501-1935655697-1060284298-1003\Dc58.dat -> Downloader.Qoologic.bj : Cleaned with backup
C:\RECYCLER\S-1-5-21-1482476501-1935655697-1060284298-1003\Dc59.dll -> Adware.Look2Me : Cleaned with backup
C:\RECYCLER\S-1-5-21-1482476501-1935655697-1060284298-1003\Dc60.dll -> Adware.Look2Me : Cleaned with backup
C:\RECYCLER\S-1-5-21-1482476501-1935655697-1060284298-1003\Dc61.dll -> Adware.Look2Me : Cleaned with backup
C:\RECYCLER\S-1-5-21-1482476501-1935655697-1060284298-1003\Dc62.dll -> Adware.Look2Me : Cleaned with backup
C:\RECYCLER\S-1-5-21-1482476501-1935655697-1060284298-500\Dc1.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\addgj32.exe -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\bootstat.dat:nvucd -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\clock.avi:lzqal -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\comsetup.log:fwfhx -> Downloader.Agent.gs : Cleaned with backup
C:\WINDOWS\crvi32.exe -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\desktop.ini:pqmgj -> Downloader.Agent.bc : Cleaned with backup
C:\WINDOWS\DH.dll -> Hijacker.Small.jf : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA6P_0001_N68M2301NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N68M2301NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\YSBactivex.dll -> Downloader.IstBar : Cleaned with backup
C:\WINDOWS\icont.exe -> Adware.AdURL : Cleaned with backup
C:\WINDOWS\iconu.exe -> Adware.Zestyfind : Cleaned with backup
C:\WINDOWS\javaaz.exe -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\KB828741.log:vohte -> Downloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB834707-IE6-20040929.115007.log:bzoag -> Downloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB835732.log:swnkf -> Downloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB840987.log:srgqi -> Downloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB841356.log:taggi -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\KB841533.log:kwxpz -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\KB841533.log:yptlb -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\KB842773.log:lszvd -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\nsreg.dat:anxrv -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\ntdtcsetup.log:roazr -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\ntdtcsetup.log:vntqg -> Downloader.Agent.bc : Cleaned with backup
C:\WINDOWS\nvmyo.dat:topwy -> Downloader.Agent.gs : Cleaned with backup
C:\WINDOWS\ocgen.log:ktqzm -> Downloader.Agent.bc : Cleaned with backup
C:\WINDOWS\OEWABLog.txt:dujeg -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\OEWABLog.txt:owwxl -> Downloader.Agent.bc : Cleaned with backup
C:\WINDOWS\OEWABLog.txt:qkvks -> Downloader.Agent.gs : Cleaned with backup
C:\WINDOWS\Prairie Wind.bmp:gpwbc -> Downloader.Agent.gs : Cleaned with backup
C:\WINDOWS\qwimp.ini:gunkq -> Downloader.Agent.gs : Cleaned with backup
C:\WINDOWS\Rhododendron.bmp:uxlop -> Downloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Santa Fe Stucco.bmp:nqdur -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\setuperr.log:madej -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\Soap Bubbles.bmp:hgfjj -> Downloader.Agent.bc : Cleaned with backup
C:\WINDOWS\SYSC00.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\system.ini:irbfq -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\system32\apirg32.exe -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\system32\apptq.exe -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\system32\arbfw.dat -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINDOWS\system32\dqcpsapi.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ipzd32.exe -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\system32\mowstr10.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mvl_hp.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ogcache.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\serio800.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\stimeng.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\Temp\bw2.com -> Adware.Zestyfind : Cleaned with backup
C:\WINDOWS\Temp\Cookies\catanachs@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\catanachs@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\catanachs@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\catanachs@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\WINDOWS\Temp\Cookies\catanachs@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\WINDOWS\Temp\Cookies\catanachs@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\WINDOWS\Temp\Cookies\catanachs@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\WINDOWS\Temp\Cookies\catanachs@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\WINDOWS\Temp\Cookies\catanachs@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\WINDOWS\Temp\Cookies\catanachs@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\WINDOWS\Temp\Cookies\catanachs@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\WINDOWS\Temp\Cookies\catanachs@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\catanachs@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\WINDOWS\Temp\Cookies\catanachs@kmpads[1].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\WINDOWS\Temp\Cookies\catanachs@linksynergy[1].txt -> TrackingCookie.Linksynergy : Cleaned with backup
C:\WINDOWS\Temp\Cookies\catanachs@paypopup[2].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\WINDOWS\Temp\Cookies\catanachs@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\WINDOWS\Temp\Cookies\catanachs@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\WINDOWS\Temp\Cookies\catanachs@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\WINDOWS\Temp\Cookies\catanachs@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\WINDOWS\Temp\Cookies\catanachs@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\WINDOWS\Temp\Cookies\catanachs@targetnet[1].txt -> TrackingCookie.Targetnet : Cleaned with backup
C:\WINDOWS\Temp\Cookies\catanachs@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\WINDOWS\Temp\Cookies\catanachs@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\WINDOWS\Temp\Cookies\catanachs@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\catanachs@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\catanachs@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\WINDOWS\Temp\Cookies\catanachs@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\YDU28VWY\ABoxInst_int13[1].exe -> Downloader.VB.ft : Cleaned with backup
C:\WINDOWS\tsoc.log:shruf -> Downloader.Agent.gs : Cleaned with backup
C:\WINDOWS\twain.dll:armlk -> Downloader.Agent.gs : Cleaned with backup
C:\WINDOWS\unin101.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\UNINST32.EXE:kbeey -> Downloader.Agent.gs : Cleaned with backup
C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\win.ini:iwroc -> Downloader.Agent.bc : Cleaned with backup
C:\WINDOWS\winka.exe -> Downloader.Agent.al : Cleaned with backup

::Report End

#2 Trevuren

Group: Retired Staff
Posts: 18,699
Joined: 19-January 05

Posted 29 March 2006 - 11:50 PM

Hi 01WhiteRanger and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

Please download Look2Me-Destroyer.exe to your desktop.

Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

Regards,

Trevuren

#3 01WhiteRanger

Group: Member
Posts: 14
Joined: 29-March 06

Posted 30 March 2006 - 10:50 AM

Thanks for responding, I will try this tonight.

#4 Trevuren

Group: Retired Staff
Posts: 18,699
Joined: 19-January 05

Posted 30 March 2006 - 12:09 PM

Sounds like a plan to me.

Trevuren

#5 01WhiteRanger

Group: Member
Posts: 14
Joined: 29-March 06

Posted 30 March 2006 - 03:53 PM

Here are the logs after look2me destroyer:

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 3/30/2006 3:37:10 PM

Infected! C:\WINDOWS\system32\h0l2la3o1d.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP253\A0059602.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP253\A0059619.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP253\A0059647.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060652.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060653.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060662.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060663.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060664.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060705.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060718.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060730.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060736.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060752.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060756.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060763.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060768.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060774.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP256\A0060800.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP256\A0061800.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0061954.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0061970.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0061977.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0061990.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0061996.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062013.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062014.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062015.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062016.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062017.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062018.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062019.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062031.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062033.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062034.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062035.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062036.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062043.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062045.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062055.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062066.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062075.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062083.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP259\A0062173.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP259\A0062182.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP259\A0062190.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP259\A0062206.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP259\A0062214.dll
Infected! C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP259\A0062227.dll
Infected! C:\WINDOWS\system32\enj4l11q1.dll
Infected! C:\WINDOWS\system32\h0l2la3o1d.dll
Infected! C:\WINDOWS\system32\lv6o09j3e.dll
Infected! C:\WINDOWS\system32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\h0l2la3o1d.dll
C:\WINDOWS\system32\h0l2la3o1d.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP253\A0059602.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP253\A0059602.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP253\A0059619.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP253\A0059619.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP253\A0059647.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP253\A0059647.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060652.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060652.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060653.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060653.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060662.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060662.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060663.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060663.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060664.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060664.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060705.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060705.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060718.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060718.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060730.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060730.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060736.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060736.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060752.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060752.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060756.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060756.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060763.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060763.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060768.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060768.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060774.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP254\A0060774.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP256\A0060800.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP256\A0060800.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP256\A0061800.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP256\A0061800.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0061954.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0061954.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0061970.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0061970.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0061977.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0061977.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0061990.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0061990.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0061996.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0061996.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062013.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062013.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062014.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062014.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062015.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062015.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062016.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062016.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062017.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062017.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062018.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062018.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062019.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062019.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062031.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062031.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062033.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062033.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062034.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062034.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062035.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062035.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062036.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062036.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062043.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062043.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062045.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062045.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062055.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062055.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062066.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062066.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062075.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062075.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062083.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP258\A0062083.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP259\A0062173.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP259\A0062173.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP259\A0062182.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP259\A0062182.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP259\A0062190.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP259\A0062190.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP259\A0062206.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP259\A0062206.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP259\A0062214.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP259\A0062214.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP259\A0062227.dll
C:\System Volume Information\_restore{21A3E2D5-A8D9-4171-A328-B80B534E4EF8}\RP259\A0062227.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\enj4l11q1.dll
C:\WINDOWS\system32\enj4l11q1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\h0l2la3o1d.dll
C:\WINDOWS\system32\h0l2la3o1d.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lv6o09j3e.dll
C:\WINDOWS\system32\lv6o09j3e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellServiceObjectDelayLoad

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{882B2690-5133-40FB-9754-8AE6C948DE64}"
HKCR\Clsid\{882B2690-5133-40FB-9754-8AE6C948DE64}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{987B80F8-9B80-401B-99E9-2F11C20F3C65}"
HKCR\Clsid\{987B80F8-9B80-401B-99E9-2F11C20F3C65}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{2F7F66B4-8861-4D0E-996B-BE9A14B4A6E0}"
HKCR\Clsid\{2F7F66B4-8861-4D0E-996B-BE9A14B4A6E0}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{BE20293B-8B44-47AB-B52F-6C98B44BA8C5}"
HKCR\Clsid\{BE20293B-8B44-47AB-B52F-6C98B44BA8C5}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{88B8BAAA-F716-4D58-ABFF-18E5577597F7}"
HKCR\Clsid\{88B8BAAA-F716-4D58-ABFF-18E5577597F7}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{693781F4-3D16-4C51-AC1B-27607B4462D8}"
HKCR\Clsid\{693781F4-3D16-4C51-AC1B-27607B4462D8}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{615B5097-645C-4A57-A459-CFB2C285CB2B}"
HKCR\Clsid\{615B5097-645C-4A57-A459-CFB2C285CB2B}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{EF93F86E-F52A-4F72-B5F8-34F716053F0B}"
HKCR\Clsid\{EF93F86E-F52A-4F72-B5F8-34F716053F0B}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

Logfile of HijackThis v1.99.1
Scan saved at 3:50:27 PM, on 3/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\catanachs\My Documents\MyPrograms\HijackThis\2006\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ledgk.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,vyjjvju.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwaprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NICSer_WPC54GS - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe

#6 Trevuren

Group: Retired Staff
Posts: 18,699
Joined: 19-January 05

Posted 30 March 2006 - 06:19 PM

Please download WebRoot SpySweeper from HERE (It's a 14-day trial):

Click Download Now to download the program.
Install it. Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Options on the left side.
Click the Sweep Options tab.
Under What to Sweep please put a check next to the following:
- Sweep for Rootkits
- Please UNCHECK Do not Sweep System Restore Folder.
Click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply along with a fresh HJT log.

Regards,

Trevuren

#7 01WhiteRanger

Group: Member
Posts: 14
Joined: 29-March 06

Posted 31 March 2006 - 05:59 AM

I was suprised to see that all of the repair files were infected.
The Webroot was a very deep diving program. It did not do just a simple scan but actually traced all the linked file calls. Cool, but it sure took a while to scan my 80k files.

********
6:45 PM: | Start of Session, Thursday, March 30, 2006 |
6:45 PM: Spy Sweeper started
6:45 PM: Sweep initiated using definitions version 645
6:45 PM: Starting Memory Sweep
6:47 PM: Found Adware: clkoptimizer
6:47 PM: Detected running threat: C:\WINDOWS\system32\bclccmg.dll (ID = 268933)
6:56 PM: Detected running threat: C:\WINDOWS\system32\uumble.exe (ID = 268995)
6:56 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || tlqskc (ID = 0)
6:56 PM: HKU\WRSS_Profile_S-1-5-21-1482476501-1935655697-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Run || qiwum (ID = 0)
6:56 PM: HKU\S-1-5-21-1482476501-1935655697-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Run || qiwum (ID = 0)
6:56 PM: Detected running threat: C:\WINDOWS\system32\ledgk.exe (ID = 268934)
6:56 PM: Detected running threat: C:\WINDOWS\system32\ledgk.exe (ID = 268934)
6:56 PM: Detected running threat: C:\WINDOWS\system32\ledgk.exe (ID = 268934)
7:01 PM: Memory Sweep Complete, Elapsed Time: 00:15:55
7:01 PM: Starting Registry Sweep
7:02 PM: Found Adware: cws_ns3
7:02 PM: HKCR\clsid\{16c710fd-4c93-9c02-15fc-681df7937350}\ (4 subtraces) (ID = 118087)
7:02 PM: HKLM\software\classes\clsid\{16c710fd-4c93-9c02-15fc-681df7937350}\ (4 subtraces) (ID = 119958)
7:02 PM: Found Adware: ist istbar
7:02 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\istactivex.dll (ID = 129174)
7:03 PM: Found Adware: surfsidekick
7:03 PM: HKLM\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143400)
7:03 PM: Found Adware: directrevenue-abetterinternet
7:03 PM: HKCR\clsid\{fc955bb2-daa2-e394-1dd3-e8a207b823a6}\ (4 subtraces) (ID = 145797)
7:03 PM: HKLM\software\classes\clsid\{fc955bb2-daa2-e394-1dd3-e8a207b823a6}\ (4 subtraces) (ID = 145878)
7:03 PM: Found Adware: ist software
7:03 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/ysbactivex.dll\ (2 subtraces) (ID = 147854)
7:03 PM: Found Adware: ist yoursitebar
7:03 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\ysbactivex.dll (ID = 147857)
7:03 PM: Found Adware: visfx
7:03 PM: HKLM\software\microsoft\windows\currentversion\uninstall\ovmon\ (2 subtraces) (ID = 712951)
7:03 PM: HKLM\software\qstat\ (5 subtraces) (ID = 769771)
7:03 PM: Found Adware: ieplugin
7:03 PM: HKLM\software\microsoft\windows\currentversion\uninstall\internet explorer toolbar - intelligent explorer\ (2 subtraces) (ID = 841077)
7:03 PM: HKLM\software\qstat\ || brr (ID = 877670)
7:03 PM: Found Adware: dollarrevenue
7:03 PM: HKLM\software\policies\ || {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} (ID = 916803)
7:03 PM: Found Adware: enbrowser
7:03 PM: HKLM\software\system\sysold\ (ID = 926808)
7:03 PM: Found Adware: command
7:03 PM: HKLM\system\currentcontrolset\services\cmdservice\ (4 subtraces) (ID = 958670)
7:03 PM: HKLM\software\policies\ || {6bf52a52-394a-11d3-b153-00c04f79faa6} (ID = 967836)
7:03 PM: HKLM\software\microsoft\windows\currentversion\uninstall\webnexus\ (2 subtraces) (ID = 1006191)
7:03 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
7:03 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
7:03 PM: HKLM\software\policies\ || {645ff040-5081-101b-9f08-00aa002f954e} (ID = 1036890)
7:03 PM: Found Adware: marketscore
7:03 PM: HKCR\clsid\{cd1b7795-13bc-4a12-bf42-a52748971aa2}\ (20 subtraces) (ID = 1144173)
7:03 PM: HKCR\typelib\{fe844296-3c38-4b78-a272-87557622c953}\ (9 subtraces) (ID = 1144194)
7:03 PM: HKLM\software\classes\clsid\{cd1b7795-13bc-4a12-bf42-a52748971aa2}\ (20 subtraces) (ID = 1144222)
7:03 PM: HKLM\software\classes\typelib\{fe844296-3c38-4b78-a272-87557622c953}\ (9 subtraces) (ID = 1144226)
7:03 PM: HKCR\iceclientatl.surveyclientctl\ (5 subtraces) (ID = 1149340)
7:03 PM: HKCR\iceclientatl.surveyclientctl.1\ (3 subtraces) (ID = 1149346)
7:03 PM: HKLM\software\classes\iceclientatl.surveyclientctl\ (5 subtraces) (ID = 1149354)
7:03 PM: HKLM\software\classes\iceclientatl.surveyclientctl.1\ (3 subtraces) (ID = 1149360)
7:03 PM: Found Adware: quicklink search toolbar
7:03 PM: HKCR\fseytdc.ariaqudok\ (3 subtraces) (ID = 1180460)
7:03 PM: HKCR\fseytdc.ariaqudok.1\ (3 subtraces) (ID = 1180464)
7:03 PM: HKCR\fseytdc.yvakt\ (3 subtraces) (ID = 1180468)
7:03 PM: HKCR\fseytdc.yvakt.1\ (3 subtraces) (ID = 1180472)
7:03 PM: HKLM\software\classes\fseytdc.ariaqudok\ (3 subtraces) (ID = 1180510)
7:03 PM: HKLM\software\classes\fseytdc.ariaqudok.1\ (3 subtraces) (ID = 1180514)
7:03 PM: HKLM\software\classes\fseytdc.yvakt\ (3 subtraces) (ID = 1180518)
7:03 PM: HKLM\software\classes\fseytdc.yvakt.1\ (3 subtraces) (ID = 1180522)
7:03 PM: HKCR\typelib\{3a76a523-4fbc-487c-a94f-a94ea80e48ef}\ (9 subtraces) (ID = 1198901)
7:03 PM: HKLM\software\oj1vshp3a\ (2 subtraces) (ID = 1198933)
7:03 PM: HKLM\software\classes\typelib\{3a76a523-4fbc-487c-a94f-a94ea80e48ef}\ (9 subtraces) (ID = 1198962)
7:03 PM: Found Adware: targetsaver
7:03 PM: HKLM\software\microsoft\windows\currentversion\uninstall\jgaf\ (2 subtraces) (ID = 1198973)
7:03 PM: HKLM\software\microsoft\windows\currentversion\uninstall\jgaf\ || uninstallstring (ID = 1199465)
7:03 PM: HKCR\clsid\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}\ (6 subtraces) (ID = 1212644)
7:03 PM: HKLM\software\classes\clsid\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}\ (6 subtraces) (ID = 1212651)
7:03 PM: Found Adware: ezula ilookup
7:03 PM: HKCR\da.bomb\ (5 subtraces) (ID = 1221354)
7:03 PM: HKCR\da.bomb.1\ (3 subtraces) (ID = 1221359)
7:03 PM: HKCR\onone.theimp\ (5 subtraces) (ID = 1221362)
7:03 PM: HKCR\onone.theimp.1\ (3 subtraces) (ID = 1221367)
7:03 PM: HKCR\clsid\{23fb5add-da37-4a40-9fc0-b0e2384cde92}\ (11 subtraces) (ID = 1221402)
7:03 PM: HKCR\clsid\{ed5d884b-1a35-482e-bea1-dd52f75b6138}\ (11 subtraces) (ID = 1221449)
7:03 PM: HKLM\software\classes\da.bomb\ (5 subtraces) (ID = 1221507)
7:03 PM: HKLM\software\classes\da.bomb.1\ (3 subtraces) (ID = 1221512)
7:03 PM: HKLM\software\classes\onone.theimp\ (5 subtraces) (ID = 1221515)
7:03 PM: HKLM\software\classes\onone.theimp.1\ (3 subtraces) (ID = 1221523)
7:03 PM: HKLM\software\classes\clsid\{23fb5add-da37-4a40-9fc0-b0e2384cde92}\ (11 subtraces) (ID = 1221558)
7:03 PM: HKLM\software\classes\clsid\{ed5d884b-1a35-482e-bea1-dd52f75b6138}\ (11 subtraces) (ID = 1221605)
7:03 PM: Found Adware: findthewebsiteyouneed hijack
7:03 PM: HKU\S-1-5-21-1482476501-1935655697-1060284298-1003\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
7:03 PM: HKU\S-1-5-21-1482476501-1935655697-1060284298-1003\software\system\sysuid\ (1 subtraces) (ID = 731748)
7:03 PM: Found Adware: zquest
7:03 PM: HKU\S-1-5-21-1482476501-1935655697-1060284298-1003\software\microsoft\internet explorer\desktop\components\0\ || source (ID = 1140816)
7:04 PM: Registry Sweep Complete, Elapsed Time:00:02:18
7:04 PM: Starting Cookie Sweep
7:04 PM: Found Spy Cookie: yieldmanager cookie
7:04 PM: catanachs@ad.yieldmanager[1].txt (ID = 3751)
7:04 PM: Found Spy Cookie: adecn cookie
7:04 PM: catanachs@adecn[2].txt (ID = 2063)
7:04 PM: Found Spy Cookie: adknowledge cookie
7:04 PM: catanachs@adknowledge[2].txt (ID = 2072)
7:04 PM: Found Spy Cookie: addynamix cookie
7:04 PM: catanachs@ads.addynamix[1].txt (ID = 2062)
7:04 PM: Found Spy Cookie: falkag cookie
7:04 PM: catanachs@as-us.falkag[1].txt (ID = 2650)
7:04 PM: Found Spy Cookie: atwola cookie
7:04 PM: catanachs@atwola[1].txt (ID = 2255)
7:04 PM: Found Spy Cookie: cardomain cookie
7:04 PM: catanachs@cardomain[2].txt (ID = 2350)
7:04 PM: Found Spy Cookie: exitexchange cookie
7:04 PM: catanachs@exitexchange[2].txt (ID = 2633)
7:04 PM: Found Spy Cookie: clickandtrack cookie
7:04 PM: catanachs@hits.clickandtrack[2].txt (ID = 2397)
7:04 PM: Found Spy Cookie: 2o7.net cookie
7:04 PM: catanachs@msnportal.112.2o7[1].txt (ID = 1958)
7:04 PM: Found Spy Cookie: nextag cookie
7:04 PM: catanachs@nextag[1].txt (ID = 5014)
7:04 PM: Found Spy Cookie: adserver cookie
7:04 PM: catanachs@z1.adserver[1].txt (ID = 2142)
7:04 PM: Cookie Sweep Complete, Elapsed Time: 00:00:05
7:04 PM: Starting File Sweep
7:04 PM: c:\program files\common files\vcclient (9 subtraces) (ID = -2147461290)
7:06 PM: Found Adware: cws_tiny0
7:06 PM: a0062021.exe (ID = 204)
7:06 PM: Found Adware: look2me
7:06 PM: a0060679.exe (ID = 65739)
7:07 PM: a0059616.exe (ID = 270020)
7:10 PM: dc45.exe (ID = 268798)
7:10 PM: nso32.dll (ID = 273239)
7:11 PM: Found Adware: webhancer
7:11 PM: a0059581.dll (ID = 267881)
7:12 PM: a0062025.exe (ID = 65721)
7:13 PM: bclccmg.dll (ID = 268933)
7:13 PM: ledgk.exe (ID = 268934)
7:19 PM: win.exe (ID = 269842)
7:19 PM: Found Adware: elitemediagroup-mediamotor
7:19 PM: a0059639.exe (ID = 251295)
7:20 PM: a0060796.exe (ID = 65722)
7:23 PM: a0059637.exe (ID = 268848)
7:28 PM: a0059523.exe (ID = 244271)
7:29 PM: dc76.dat (ID = 268995)
7:29 PM: a0059550.dll (ID = 267884)
7:31 PM: a0062026.exe (ID = 204)
7:34 PM: a0059645.dll (ID = 243051)
7:37 PM: zapotec.bmp:yelnt (ID = 56208)
7:39 PM: a0059617.exe (ID = 270029)
7:42 PM: a0059551.exe (ID = 267900)
7:43 PM: greenstone.bmp:gvblj (ID = 56287)
7:43 PM: windows update.log:lfuay (ID = 56451)
7:43 PM: windows update.log:vcppv (ID = 56447)
7:47 PM: quicken.ini:pdoqw (ID = 56208)
7:49 PM: prairie wind.bmp:uqoen (ID = 56208)
7:53 PM: a0062029.exe (ID = 204)
7:54 PM: dc78.dat (ID = 268995)
7:54 PM: arbfw.dat (ID = 268995)
7:57 PM: a0059597.exe (ID = 272413)
8:02 PM: winnt256.bmp:geshr (ID = 56451)
8:07 PM: a0060660.exe (ID = 268932)
8:07 PM: a0062024.exe (ID = 65722)
8:10 PM: a0062032.exe (ID = 204)
8:12 PM: a0062041.exe (ID = 204)
8:12 PM: a0062020.exe (ID = 204)
8:16 PM: a0062030.exe (ID = 204)
8:16 PM: a0059650.exe (ID = 212828)
8:17 PM: a0059651.exe (ID = 212830)
8:17 PM: ledgk.exe (ID = 268934)
8:17 PM: a0059643.dll (ID = 235980)
8:18 PM: a0061987.exe (ID = 272413)
8:18 PM: a0060658.exe (ID = 212828)
8:18 PM: vcmain.exe (ID = 212830)
8:18 PM: vcclient.exe (ID = 212828)
8:18 PM: a0060657.exe (ID = 212830)
8:18 PM: a0061968.exe (ID = 65739)
8:18 PM: a0062012.exe (ID = 65739)
8:18 PM: vyjjvju.exe (ID = 268932)
8:19 PM: oewablog.txt:cpezt (ID = 56451)
8:20 PM: a0061989.dll (ID = 271832)
8:21 PM: a0059630.exe (ID = 268932)
8:21 PM: uumble.exe (ID = 268995)
8:21 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || tlqskc (ID = 0)
8:21 PM: HKU\WRSS_Profile_S-1-5-21-1482476501-1935655697-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Run || qiwum (ID = 0)
8:21 PM: HKU\S-1-5-21-1482476501-1935655697-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Run || qiwum (ID = 0)
8:21 PM: a0062054.exe (ID = 268934)
8:21 PM: ncxdr.exe (ID = 268995)
8:21 PM: a0062044.dll (ID = 268933)
8:21 PM: Found Adware: zenosearchassistant
8:21 PM: a0062004.exe (ID = 245938)
8:21 PM: a0062008.exe (ID = 270019)
8:21 PM: a0062010.exe (ID = 270021)
8:21 PM: winhelp.exe:dfnfs (ID = 56208)
8:21 PM: winhelp.exe:ndaux (ID = 56287)
8:21 PM: a0062028.exe (ID = 244277)
8:21 PM: a0059631.exe (ID = 259744)
8:21 PM: a0059635.exe (ID = 293)
8:21 PM: a0059632.exe (ID = 270526)
8:21 PM: Found Trojan Horse: lzio
8:21 PM: a0059638.exe (ID = 81002)
8:21 PM: a0059548.exe (ID = 267882)
8:21 PM: a0059537.exe (ID = 267886)
8:21 PM: Found Adware: purityscan
8:21 PM: a0061998.exe (ID = 271320)
8:21 PM: a0059629.dll (ID = 268799)
8:21 PM: a0059598.exe (ID = 158645)
8:21 PM: vocabulary (ID = 78283)
8:21 PM: a0059633.dll (ID = 259795)
8:21 PM: class-barrel (ID = 78229)
8:21 PM: a0059642.exe (ID = 293)
8:22 PM: dc34.exe (ID = 271829)
8:22 PM: a0059623.exe (ID = 166677)
8:23 PM: a0062009.exe (ID = 193500)
8:24 PM: a0062007.exe (ID = 271836)
8:39 PM: iprof32.dll:rweef (ID = 56208)
8:41 PM: odbc.ini:jolur (ID = 56287)
8:42 PM: soap bubbles.bmp:vlpog (ID = 56451)
8:43 PM: a0059504.exe (ID = 244278)
8:44 PM: bundleinstaller.exe (ID = 269312)
8:44 PM: osi33.tmp (ID = 185507)
8:46 PM: a0062234.dll (ID = 159)
8:46 PM: a0059505.exe (ID = 270029)
8:48 PM: a0061999.exe (ID = 270017)
8:49 PM: vcupdate.exe.config (ID = 212361)
8:50 PM: dc41.exe (ID = 244430)
8:52 PM: a0062233.dll (ID = 159)
8:53 PM: a0062205.exe (ID = 268934)
8:56 PM: dc21.exe (ID = 267188)
8:57 PM: a0062023.dll (ID = 266849)
8:57 PM: a0062001.exe (ID = 244295)
9:00 PM: a0059627.vbs (ID = 231442)
9:00 PM: a0059626.exe (ID = 215807)
9:00 PM: dc40.exe (ID = 150042)
9:02 PM: setupapi.log.0.old:kkfim (ID = 56287)
9:03 PM: sskknwrd.dll (ID = 77733)
9:09 PM: Found Adware: coolwebsearch (cws)
9:09 PM: a0062027.ini:gunkq (ID = 54297)
9:10 PM: a0062037.dll:armlk (ID = 54297)
9:10 PM: a0062039.exe:kbeey (ID = 54297)
9:11 PM: a0059503.exe (ID = 244278)
9:11 PM: a0062040.exe (ID = 245110)
9:12 PM: a0062038.exe (ID = 245111)
9:12 PM: dc17.exe (ID = 244271)
9:12 PM: a0062002.exe (ID = 259745)
9:17 PM: vcupdate.exe (ID = 212831)
9:17 PM: a0059634.exe (ID = 259982)
9:17 PM: a0059506.exe (ID = 271215)
9:17 PM: a0062005.exe (ID = 267157)
9:19 PM: a0059555.dsk (ID = 63344)
9:19 PM: a0062000.exe (ID = 270018)
9:21 PM: a0059644.exe (ID = 235981)
9:22 PM: a0062006.exe (ID = 269821)
9:23 PM: dc29.exe (ID = 268824)
9:23 PM: dc46.exe (ID = 269844)
9:23 PM: a0061962.dll (ID = 159)
9:26 PM: sskcwrd.dll (ID = 77712)
9:30 PM: backup-20060326-125601-365.inf (ID = 63343)
9:30 PM: sskuknwrd.dll (ID = 245940)
9:30 PM: smy1.vbs (ID = 185675)
9:30 PM: clientupdater.bat (ID = 212353)
9:30 PM: vcclient.exe.config (ID = 212358)
9:30 PM: a0059570.cfg (ID = 91140)
9:30 PM: a0059553.ini (ID = 188794)
9:30 PM: a0059552.ini (ID = 267887)
9:30 PM: a0059519.ini (ID = 268430)
9:33 PM: dc54.zip (ID = 271832)
9:41 PM: File Sweep Complete, Elapsed Time: 02:36:43
9:41 PM: Full Sweep has completed. Elapsed time 02:55:22
9:41 PM: Traces Found: 477
5:31 AM: Removal process initiated
5:33 AM: Quarantining All Traces: clkoptimizer
5:33 AM: clkoptimizer is in use. It will be removed on reboot.
5:33 AM: bclccmg.dll is in use. It will be removed on reboot.
5:33 AM: ledgk.exe is in use. It will be removed on reboot.
5:33 AM: uumble.exe is in use. It will be removed on reboot.
5:33 AM: ncxdr.exe is in use. It will be removed on reboot.
5:33 AM: C:\WINDOWS\system32\bclccmg.dll is in use. It will be removed on reboot.
5:33 AM: C:\WINDOWS\system32\uumble.exe is in use. It will be removed on reboot.
5:33 AM: C:\WINDOWS\system32\ledgk.exe is in use. It will be removed on reboot.
5:33 AM: C:\WINDOWS\system32\ledgk.exe is in use. It will be removed on reboot.
5:33 AM: C:\WINDOWS\system32\ledgk.exe is in use. It will be removed on reboot.
5:33 AM: Quarantining All Traces: cws_ns3
5:33 AM: Quarantining All Traces: directrevenue-abetterinternet
5:33 AM: Quarantining All Traces: ist istbar
5:33 AM: Quarantining All Traces: look2me
5:33 AM: Quarantining All Traces: lzio
5:33 AM: Quarantining All Traces: purityscan
5:33 AM: Quarantining All Traces: visfx
5:33 AM: Quarantining All Traces: coolwebsearch (cws)
5:34 AM: Quarantining All Traces: cws_tiny0
5:34 AM: Quarantining All Traces: dollarrevenue
5:34 AM: Quarantining All Traces: elitemediagroup-mediamotor
5:34 AM: Quarantining All Traces: enbrowser
5:34 AM: Quarantining All Traces: marketscore
5:34 AM: Quarantining All Traces: quicklink search toolbar
5:34 AM: Quarantining All Traces: surfsidekick
5:34 AM: Quarantining All Traces: zquest
5:34 AM: Quarantining All Traces: command
5:34 AM: Quarantining All Traces: ezula ilookup
5:34 AM: Quarantining All Traces: findthewebsiteyouneed hijack
5:34 AM: Quarantining All Traces: ieplugin
5:34 AM: Quarantining All Traces: ist software
5:34 AM: Quarantining All Traces: ist yoursitebar
5:34 AM: Quarantining All Traces: targetsaver
5:34 AM: Quarantining All Traces: webhancer
5:35 AM: Quarantining All Traces: zenosearchassistant
5:35 AM: Quarantining All Traces: 2o7.net cookie
5:35 AM: Quarantining All Traces: addynamix cookie
5:35 AM: Quarantining All Traces: adecn cookie
5:35 AM: Quarantining All Traces: adknowledge cookie
5:35 AM: Quarantining All Traces: adserver cookie
5:35 AM: Quarantining All Traces: atwola cookie
5:35 AM: Quarantining All Traces: cardomain cookie
5:35 AM: Quarantining All Traces: clickandtrack cookie
5:35 AM: Quarantining All Traces: exitexchange cookie
5:35 AM: Quarantining All Traces: falkag cookie
5:35 AM: Quarantining All Traces: nextag cookie
5:35 AM: Quarantining All Traces: yieldmanager cookie
5:37 AM: Removal process completed. Elapsed time 00:06:11
********
6:40 PM: | Start of Session, Thursday, March 30, 2006 |
6:40 PM: Spy Sweeper started
6:42 PM: Your spyware definitions have been updated.
6:45 PM: | End of Session, Thursday, March 30, 2006 |

Logfile of HijackThis v1.99.1
Scan saved at 5:56:41 AM, on 3/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\catanachs\My Documents\MyPrograms\HijackThis\2006\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ledgk.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,vyjjvju.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwaprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NICSer_WPC54GS - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

I haven't gotten any popups yet. Is it clean? If feels it. What was this insidious attacker?

#8 Trevuren

Group: Retired Staff
Posts: 18,699
Joined: 19-January 05

Posted 31 March 2006 - 10:53 AM

Unfortunately, it isn't clean yet.

A. Download and Save Blacklight to your desktop:

Double-click blbeta.exe
Accept the agreement and click NEXT.
In the following window, click SCAN

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Do not proceed with step #2 or choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

B. 1. Download FindQoologic.zip

Desktop

2. Click on FindQoologic.zip to open the file:

From the tasbar choose EXTRACT
From the mini window that pops up, choose "All files/folders" in the lower left-hand corner of the window
In the Extract to box, make sure that your Desktop is selected
Click on the EXTRACT button
A newly-created folder named Find-Qoologic will have appeared on your desktop

3. Click on the FindQoologic folder to open it:

Locate and double-click the Find-Qoologic.bat
Choose option 1 for Run Findqoologic by typing 1 and press enter
This will scan your system
Wait until a text opens.

4. Copy/Paste this text into your next reply.

Regards,

Trevuren

#9 01WhiteRanger

Group: Member
Posts: 14
Joined: 29-March 06

Posted 31 March 2006 - 12:15 PM

03/31/06 12:09:28 [Info]: BlackLight Engine 1.0.33 initialized
03/31/06 12:09:28 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/31/06 12:09:29 [Note]: 7019 4
03/31/06 12:09:29 [Note]: 7005 0
03/31/06 12:09:40 [Note]: 7006 0
03/31/06 12:09:40 [Note]: 7011 1636
03/31/06 12:09:41 [Note]: FSRAW library version 1.7.1015

#10 Trevuren

Group: Retired Staff
Posts: 18,699
Joined: 19-January 05

Posted 31 March 2006 - 12:34 PM

Please don't forget the second one

Trevuren

#11 01WhiteRanger

Group: Member
Posts: 14
Joined: 29-March 06

Posted 31 March 2006 - 04:11 PM

Find Qoologic last edited 01/08/2006
Running from
C:\Documents and Settings\catanachs\Desktop\Find-Qoologic\Find-Qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»» Search by size and name»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

C:\WINDOWS\SYSTEM32\RNAPH.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
.....
.....
SteelWerX Registry Console Tool RC-2
Written by Bobbi Flekman
.....
[-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebNexus]
.....
.....
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
.....
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]

#12 Trevuren

Group: Retired Staff
Posts: 18,699
Joined: 19-January 05

Posted 31 March 2006 - 07:08 PM

A. Please download the Killbox by Option^Explicit.

Note:In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.
Please double-click Killbox.exe to run it.
Select
- "Delete on Reboot
- Then click on the "All Files" button if there are more than 1 file to delete.
Please copy the file path(s) below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\WINDOWS\system32\bclccmg.dll
C:\WINDOWS\system32\uumble.exe
C:\WINDOWS\system32\ledgk.exe
C:\Windows\System32\vyjjvju.exe
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

B. Please post a fresh HJT log.

Regards,

Trevuren

#13 01WhiteRanger

Group: Member
Posts: 14
Joined: 29-March 06

Posted 31 March 2006 - 09:00 PM

I could not get Killbox to accept the file names. I copy from the text and select file, paste from clipboard. Then I hit the delete and it gives me "You have not Specified and File to Delete, You must Specify a File Path in the Yellow Box"

#14 Trevuren

Group: Retired Staff
Posts: 18,699
Joined: 19-January 05

Posted 31 March 2006 - 09:03 PM

1. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

 Files to Delete:
C:\WINDOWS\system32\bclccmg.dll
C:\WINDOWS\system32\uumble.exe
C:\WINDOWS\system32\ledgk.exe
C:\Windows\System32\vyjjvju.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

Regards,

Trevuren

#15 01WhiteRanger

Group: Member
Posts: 14
Joined: 29-March 06

Posted 31 March 2006 - 09:15 PM

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\bdgjslvq

*******************

Script file located at: \??\C:\WINDOWS\system32\cgrwradb.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\bclccmg.dll not found!
Deletion of file C:\WINDOWS\system32\bclccmg.dll failed!

Could not process line:
C:\WINDOWS\system32\bclccmg.dll
Status: 0xc0000034

File C:\WINDOWS\system32\uumble.exe not found!
Deletion of file C:\WINDOWS\system32\uumble.exe failed!

Could not process line:
C:\WINDOWS\system32\uumble.exe
Status: 0xc0000034

File C:\WINDOWS\system32\ledgk.exe not found!
Deletion of file C:\WINDOWS\system32\ledgk.exe failed!

Could not process line:
C:\WINDOWS\system32\ledgk.exe
Status: 0xc0000034

File C:\Windows\System32\vyjjvju.exe not found!
Deletion of file C:\Windows\System32\vyjjvju.exe failed!

Could not process line:
C:\Windows\System32\vyjjvju.exe
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.//////////////////////////////////////////

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\bdgjslvq

*******************

Logfile of HijackThis v1.99.1
Scan saved at 9:14:10 PM, on 3/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\catanachs\My Documents\MyPrograms\HijackThis\2006\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ledgk.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,vyjjvju.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwaprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NICSer_WPC54GS - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

I did notice that a blue screen flashed during the first reboot. Windows then asked if I wanted to restart normally or safe mode...

Back to Virus, Spyware, Malware Removal

Share this topic:

2 Pages
1
2
→

Please log in to reply

Please help - blackworm, tagasaurus, surfside [RESOLVED] - Geeks to Go Forums