Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Unknown Infection possibly related to h91746.exe [RESOLVED]

Started by mr__roarke , Jul 01 2006 06:08 PM

This topic is locked

#1
mr__roarke

Posted 01 July 2006 - 06:08 PM

Member

Member
69 posts

I have a problem which I haven't been able to find in the forums directly. It would seem to be a combination of problems listed in the forums, but I can't be certain if it is a string of problems or one large interconnected one.

Problem one: upon startup, a small "box" appears in the upper left hand corner of my desktop. This box is movable and resembles a window which has been minimized as small as possible (for reference, the entire "box" would fit inside of the Recycle Bin icon). In the task manager, it is listed as an IEXPLORER.exe process; when the process is ended, it disappears.

Problem two: more and more frequently, our internet connection becomes disabled and our reconnect is blocked because "the port is already in use or not configured properly." At these times, there is a second dial up connection trying to connect. Our actual dial up connection is named "Technotwist" whereas this new intruder is named "Technotwist 1".

Problem three: mainly when the computer is first booted and to some extent at random intervals, some program opens a dial up connection dialog box to our default connection. It may take anywhere from one to five tries to close it before it stays closed.

Problem four: at random intervals, popups resembling a installation dialog appear for "Malicious Software Removal Wizard" (amongst others) are appearing and are becoming more and more frequent.

Finally, probelm five: today we received an error message related to the h91746.exe trojan(?) which I attempted to fix via a forum post on this site. Whether or not that has been resolved is unknown at the moment.

I would appreciate any help or comments. I apologize if I have missed any forum posts/guidelines/rules that may have made this more informative. Thank you.

#2
don77

Posted 01 July 2006 - 06:24 PM

Malware Expert

Retired Staff
18,526 posts

Helloo and welcome mr__roarke

* Click here to download HJTsetup.exe

Save HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

#3
mr__roarke

Posted 01 July 2006 - 06:30 PM

Member

Topic Starter
Member
69 posts

First, thank you for the extremely fast response. I appreciate it.

Here is the log file:
Logfile of HijackThis v1.99.1
Scan saved at 5:29:56 PM, on 7/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ce96e926.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\System32\regscan.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\MSHEARTS.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = www.yahoo.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: (no name) - {CD1962F8-FE35-4460-AE5D-4A015E9CAC26} - C:\WINDOWS\SYSTEM32\jdkdjfa.dll (file missing)
O2 - BHO: (no name) - {EC2BB6EE-4681-1C44-20BD-EB3CBFABDE49} - C:\WINDOWS\System32\A9l3aYt8.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [funk] funk.exe
O4 - HKLM\..\Run: [ce96e926.exe] C:\WINDOWS\System32\ce96e926.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\System32\regscan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ce96e926.exe] C:\Documents and Settings\thomas rodney\Local Settings\Application Data\ce96e926.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxmk815YYUS
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {1783A124-1B5E-4743-7B35-425F1A233631} - http://85.255.115.229/1/gdnUS1388.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.co...ic/SimCityX.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8195FE8A-2840-4C28-8840-1970F6ABD58F}: NameServer = 209.63.0.6 207.173.86.6
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: NtdzYGTiv - {EC2BB6E8-4681-1C42-6739-DA50BFABDE46} - C:\WINDOWS\System32\nrqdt.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Thanks again.

#4
don77

Posted 01 July 2006 - 06:57 PM

Malware Expert

Retired Staff
18,526 posts

OK lets clean up a bit and see if your system starts behaving the way it should,

Make sure you can view all Hidden Files/Folders

Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: (no name) - {CD1962F8-FE35-4460-AE5D-4A015E9CAC26} - C:\WINDOWS\SYSTEM32\jdkdjfa.dll (file missing)
O2 - BHO: (no name) - {EC2BB6EE-4681-1C44-20BD-EB3CBFABDE49} - C:\WINDOWS\System32\A9l3aYt8.dll
O4 - HKLM\..\Run: [funk] funk.exe
O4 - HKLM\..\Run: [ce96e926.exe] C:\WINDOWS\System32\ce96e926.exe
O4 - HKCU\..\Run: [ce96e926.exe] C:\Documents and Settings\thomas rodney\Local Settings\Application Data\ce96e926.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxmk815YYUS
O16 - DPF: {1783A124-1B5E-4743-7B35-425F1A233631} - http://85.255.115.229/1/gdnUS1388.exe
O21 - SSODL: NtdzYGTiv - {EC2BB6E8-4681-1C42-6739-DA50BFABDE46} - C:\WINDOWS\System32\nrqdt.dll

Next Reboot into SAFE MODE
Search for and delete the Folders highlighted in Blue Files highlighted in BOLD

C:\WINDOWS\SYSTEM32\jdkdjfa.dll
C:\WINDOWS\System32\A9l3aYt8.dll
funk.exe <-- you will need to use the search function to find this one
C:\WINDOWS\System32\ce96e926.exe
C:\Documents and Settings\thomas rodney\Local Settings\Application Data\ce96e926.exe
C:\WINDOWS\System32\nrqdt.dll

Restart your computer, Post back a fresh log please

#5
mr__roarke

Posted 01 July 2006 - 07:31 PM

Member

Topic Starter
Member
69 posts

OK, I couldn't find:
c:\windows\system32\jdkdjfa.dll or
c:\windows\system32\A913aYt8.dll

But the rest have been removed. Here is the log:
Logfile of HijackThis v1.99.1
Scan saved at 6:28:19 PM, on 7/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\System32\regscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = www.yahoo.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\System32\regscan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.co...ic/SimCityX.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8195FE8A-2840-4C28-8840-1970F6ABD58F}: NameServer = 209.63.0.6 207.173.86.6
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: NtdzYGTiv - {EC2BB6E8-4681-1C42-6739-DA50BFABDE46} - C:\WINDOWS\System32\nrqdt.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#6
don77

Posted 01 July 2006 - 07:50 PM

Malware Expert

Retired Staff
18,526 posts

Have HJT fix the following line same way you did earlier
O21 - SSODL: NtdzYGTiv - {EC2BB6E8-4681-1C42-6739-DA50BFABDE46} - C:\WINDOWS\System32\nrqdt.dll (file missing)

Reboot

Once back in normal mode

Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

#7
mr__roarke

Posted 01 July 2006 - 09:25 PM

Member

Topic Starter
Member
69 posts

Here is the Panda ActiveSearch Report:

Incident Status Location

Virus:Trj/Pakes.CE Disinfected Operating system
Adware:adware/ist.istbar Not disinfected c:\windows\system32\appsys.exe
Potentially unwanted tool:application/mywebsearch Not disinfected c:\windows\system32\f3PSSavr.scr
Dialer:dialer.avv Not disinfected c:\windows\downloaded program files\gdnUS1388.exe
Adware:adware/clickalchemy Not disinfected c:\windows\inf\alchem.inf
Adware:adware/ncase Not disinfected c:\windows\didduid.ini
Potentially unwanted tool:application/myway Not disinfected c:\program files\MyWay
Adware:adware/coolsavings Not disinfected Windows Registry
Adware:adware/mediatickets Not disinfected Windows Registry
Adware:adware/ist.sidefind Not disinfected Windows Registry
Adware:adware/cws Not disinfected Windows Registry
Virus:Trj/Lowzones.SE Disinfected C:\ane.exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\thomas rodney\Application Data\alta\ctxad-203.0000[NDrv.dll]
Adware:Adware/SystemDoctor Not disinfected C:\Documents and Settings\thomas rodney\Local Settings\Temp\h91746.exe
Virus:Trj/Exitwin.D

Sorry for the horrible formating. I'm attaching the report as well.

#8
don77

Posted 02 July 2006 - 08:07 AM

Malware Expert

Retired Staff
18,526 posts

Sorry for the horrible formating. I'm attaching the report as well

No worries lets do this, lets run Ewido and I will need you to post back the log from it so we can be sure everything is cleaned, we may have to do some manual removal but lets have Ewido clean up what it can for us first,
By the way does the machine seem to be running better ?
Please make sure you set the setting correctly we want Ewido to Quarantine what it finds,,

Please download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.

Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.

#9
mr__roarke

Posted 02 July 2006 - 05:20 PM

Member

Topic Starter
Member
69 posts

Hey. Ok, the system does seem to be running a bit better. The Ewido scan took forever, though, and I had to restart it once (can a program actually freeze in safe mode?). Here's the report.

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:10:20 PM 7/2/2006

+ Scan result:

C:\Program Files\Hijackthis\backups\backup-20060701-180914-408.dll -> Backdoor.CmjSpy.bt : No action taken.
C:\WINDOWS\od-matr26.exe -> Dialer.Generic : No action taken.
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\ad.exe -> Downloader.Donn.aa : No action taken.
C:\WINDOWS\Downloaded Program Files\ad.exe -> Downloader.Donn.aa : No action taken.
C:\WINDOWS\SYSTEM32\appsys.exe -> Dropper.Delf.cj : No action taken.
C:\WINDOWS\SYSTEM32\Cjkpbagf.exe -> Logger.Qukart : No action taken.
C:\WINDOWS\SYSTEM32\Gejeim32.dll -> Logger.Qukart.m : No action taken.
C:\WINDOWS\SYSTEM32\Hmbdba32.exe -> Logger.Qukart.m : No action taken.
C:\WINDOWS\SYSTEM32\Mccemgjh.dll -> Logger.Qukart.m : No action taken.
C:\RECYCLER\S-1-5-21-2572101351-3180340046-1379770814-1006\Dc3.dll -> Proxy.Agent.df : No action taken.
C:\WINDOWS\Downloaded Program Files\d_abcxx.exe -> Trojan.Dialer.ce : No action taken.
C:\WINDOWS\Downloaded Program Files\xxx.exe -> Trojan.Dialer.ce : No action taken.
C:\RECYCLER\S-1-5-21-2572101351-3180340046-1379770814-1006\Dc4.exe -> Trojan.LowZones.dp : No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000061.exe -> Trojan.LowZones.dp : No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000060.exe -> Trojan.Pakes : No action taken.

::Report end

Thanks for all of the help so far as well. I would still probably be in the dark about most of this if I were doing this alone.

#10
don77

Posted 02 July 2006 - 06:53 PM

Malware Expert

Retired Staff
18,526 posts

OK I needed you to have Ewido quarantine what it found, lets do this a bit differently and get most of this cleaned up,

First

*Please open notepad and save these instructions, Name it something you will remember
*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

c:\windows\system32\appsys.exe 
 c:\windows\system32\f3PSSavr.scr 
 c:\windows\downloaded program files\gdnUS1388.exe 
 c:\windows\inf\alchem.inf 
 c:\windows\didduid.ini
C:\ane.exe 
C:\Documents and Settings\thomas rodney\Local Settings\Temp\h91746.exe 
C:\WINDOWS\od-matr26.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\ad.exe ->.
C:\WINDOWS\Downloaded Program Files\ad.exe 
C:\WINDOWS\SYSTEM32\appsys.exe.
C:\WINDOWS\SYSTEM32\Cjkpbagf.exe.
C:\WINDOWS\SYSTEM32\Gejeim32.dll.
C:\WINDOWS\SYSTEM32\Hmbdba32.exe.
C:\WINDOWS\SYSTEM32\Mccemgjh.dll.
C:\WINDOWS\Downloaded Program Files\d_abcxx.exe 
C:\WINDOWS\Downloaded Program Files\xxx.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click on “All Files”
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
*Your computer should automatically restart if not restar manually please,

Next
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Next
Please download Spybot Search & Destroy and AdAware.

Follow all the instructions on this website to run a scan with both of these softwares

Please download both programs and update them and configure according to the web site the reboot to safe mode and run both programs while in safe mode

Next
Reboot back to normal mode and rescan with Active scan please, Please post back the log from Active scan please

#11
mr__roarke

Posted 02 July 2006 - 09:04 PM

Member

Topic Starter
Member
69 posts

Ok, I followed those instructions. Both Spybot S&D and Ad-Aware came up with nada. So, I ran the PandaScan and here are the results:

Incident Status Location

Adware:adware/clickalchemy Not disinfected c:\windows\alchem.ini
Adware:adware/ist.istbar Not disinfected c:\program files\common files\Totem Shared
Potentially unwanted tool:application/myway Not disinfected c:\program files\MyWay
Adware:adware/coolsavings Not disinfected Windows Registry
Adware:adware/mediatickets Not disinfected Windows Registry
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{147A976E-EEE1-4377-8EA7-4716E4CDD239}
Adware:adware/ist.sidefind Not disinfected Windows Registry
Adware:adware/cws Not disinfected Windows Registry
Adware:adware/ncase Not disinfected Windows Registry
Adware:Adware/IPInsight Not disinfected C:\!KillBox\alchem.inf
Dialer:Dialer.NQ Not disinfected C:\!KillBox\d_abcxx.exe
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\!KillBox\f3PSSavr.scr
Adware:Adware/SystemDoctor Not disinfected C:\!KillBox\h91746.exe
Dialer:Dialer.Gen Not disinfected C:\!KillBox\od-matr26.exe
Dialer:Dialer.NQ Not disinfected C:\!KillBox\xxx.exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\thomas rodney\Application Data\alta\ctxad-203.0000[NDrv.dll]
I wish I knew what was going on... Thanks again for all of the help. Donation is in the works... :-)

#12
don77

Posted 02 July 2006 - 09:13 PM

Malware Expert

Retired Staff
18,526 posts

Looks a whole lot better,

I know its a long process but a lot of what Ewido found earler has been removed lets run it again this time under settings be sure and choose to quarantine anything it finds,

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"

#13
mr__roarke

Posted 02 July 2006 - 11:18 PM

Member

Topic Starter
Member
69 posts

Ok, I went and ran Ewido in safe mode and here are the results:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:11:11 PM 7/2/2006

+ Scan result:

C:\Program Files\Hijackthis\backups\backup-20060701-180914-408.dll -> Backdoor.CmjSpy.bt : No action taken.
C:\!KillBox\od-matr26.exe -> Dialer.Generic : No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000095.exe -> Dialer.Generic : No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000141.exe -> Downloader.Donn.aa : No action taken.
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\ad.exe -> Downloader.Donn.aa : No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000091.exe -> Dropper.Delf.cj : No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000142.exe -> Dropper.Delf.cj : No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000096.exe -> Logger.Qukart : No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000143.exe -> Logger.Qukart : No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000097.dll -> Logger.Qukart.m : No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000098.exe -> Logger.Qukart.m : No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000099.dll -> Logger.Qukart.m : No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000144.dll -> Logger.Qukart.m : No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000145.exe -> Logger.Qukart.m : No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000146.dll -> Logger.Qukart.m : No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000107.dll -> Proxy.Agent.df : No action taken.
C:\!KillBox\d_abcxx.exe -> Trojan.Dialer.ce : No action taken.
C:\!KillBox\xxx.exe -> Trojan.Dialer.ce : No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000061.exe -> Trojan.LowZones.dp : No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000108.exe -> Trojan.LowZones.dp : No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000060.exe -> Trojan.Pakes : No action taken.

::Report end

#14
mr__roarke

Posted 02 July 2006 - 11:19 PM

Member

Topic Starter
Member
69 posts

Oh, and like a moron, I had the system restore on. That is now turned off and the backup points erased. Sorry if that has been slowing us down; I didn't even think about it.

-Nick

#15
don77

Posted 03 July 2006 - 05:39 AM

Malware Expert

Retired Staff
18,526 posts

No worry Nick,

Oh, and like a moron, I had the system restore on. That is now turned off and the backup points erased. Sorry if that has been slowing us down; I didn't even think about it.

I knew they were there and usually clean them out once we are done, no big deal you will want to flush them again,
Please make sure that you turned system restore back on please,

We will use kill box one more time here and see if will grab some folders for us usually it will but I would like you to double check on the entries listed for removal with killbox to be sure we got them,

using killbox same way as before:
*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\Downloaded Program Files\CONFLICT.1\ad.exe 
c:\windows\alchem.ini 
c:\program files\common files\Totem Shared 
c:\program files\MyWay 
C:\Documents and Settings\thomas rodney\Application Data\alta\ctxad-203.0000