Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware ad.oinadserver.com [RESOLVED]


  • This topic is locked This topic is locked

#1
Juspar

Juspar

    New Member

  • Member
  • Pip
  • 7 posts
I'm new here, did a search and found a thread on this nasty popup, but I couldn't duplicate the files - so it looks like I'm going to need some help of my own.

I have run Spybot S & D, and Trend Micro Housecall on this already, to no avail. Here's the Hijack log for things right now:

Logfile of HijackThis v1.99.1
Scan saved at 1:19:59 PM, on 8/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\DesktopAuthority\RaMaint.exe
C:\Program Files\DesktopAuthority\DesktopAuthority.exe
C:\WINDOWS\system32\SLClient.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\slagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\DesktopAuthority\ragui.exe
C:\WINDOWS\system32\YMANTE~1\EPLORE~1.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Numara Software\Track-It! 7.0\Technician Client\TIWin.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\DOCUME~1\justinp\APPLIC~1\SCURIT~1\javaw.exe
C:\WINDOWS\system32\utilman.exe
C:\WINDOWS\TEMP\win1ED.tmp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\justinp\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00310} - C:\WINDOWS\system32\compstuid.dll (file missing)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00311} - C:\WINDOWS\g8328656.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: C:\WINDOWS\system32\clbcatix.dll - {D4DFC1D8-2D2E-4962-B0D0-389FBA0F76B5} - C:\WINDOWS\system32\clbcatix.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [Desktop Authority GUI] "C:\Program Files\DesktopAuthority\ragui.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Zqlzu] C:\WINDOWS\system32\YMANTE~1\EPLORE~1.EXE
O4 - HKCU\..\Run: [Snte] "C:\DOCUME~1\justinp\APPLIC~1\SCURIT~1\javaw.exe" -vt ndrv
O4 - Startup: E-mail.lnk = ?
O4 - Startup: Track-It! 7.0 Technician Client.lnk = C:\Program Files\Numara Software\Track-It! 7.0\Technician Client\TIWin.exe
O4 - Startup: Windows Media Player.lnk = C:\Program Files\Windows Media Player\wmplayer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: setdhcpv4.vbs
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\clbcatix.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\clbcatix.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\clbcatix.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\clbcatix.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\clbcatix.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O15 - Trusted Zone: http://www.state.nd.us
O15 - Trusted Zone: http://*.will2
O15 - Trusted Zone: http://trackit.williamsnd.com
O15 - Trusted Zone: http://www.williamsnd.com
O15 - Trusted Zone: http://www.state.nd.us (HKLM)
O15 - Trusted Zone: http://*.will2 (HKLM)
O15 - Trusted Zone: http://trackit.williamsnd.com (HKLM)
O15 - Trusted Zone: http://www.williamsnd.com (HKLM)
O16 - DPF: {576756A1-D97C-45D0-A945-0324019A131E} (BOSIActiveFormX Control) - http://trackit.willi...ActiveXGrid.cab
O16 - DPF: {6AF2E1A7-A16E-4503-A440-07CA49122CCE} (BOSIRichEditActiveX Control) - http://trackit.willi...MemoControl.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.....cab?refid=1123
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = co.williams.nd.us
O17 - HKLM\Software\..\Telephony: DomainName = co.williams.nd.us
O17 - HKLM\System\CCS\Services\Tcpip\..\{20260FCF-75BB-401D-BC03-2502D9E8D69E}: NameServer = 10.48.66.85,10.48.66.229
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = co.williams.nd.us
O17 - HKLM\System\CS1\Services\Tcpip\..\{20260FCF-75BB-401D-BC03-2502D9E8D69E}: NameServer = 10.48.66.85,10.48.66.229
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = co.williams.nd.us
O17 - HKLM\System\CS2\Services\Tcpip\..\{20260FCF-75BB-401D-BC03-2502D9E8D69E}: NameServer = 10.48.66.85,10.48.66.229
O20 - AppInit_DLLs: DAinit.dll C:\WINDOWS\system32\msiexec.dll
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g868781.dll
O20 - Winlogon Notify: clbcatex - C:\WINDOWS\system32\clbcatix.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: winucv32 - C:\WINDOWS\SYSTEM32\winucv32.dll
O23 - Service: Desktop Authority Maintenance Service (DAMaint) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\RaMaint.exe
O23 - Service: Desktop Authority Service (DesktopAuthority) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\DesktopAuthority.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: ScriptLogic Service (SLClient) - ScriptLogic Corporation - C:\WINDOWS\system32\SLClient.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe




Assistance greatly appreciated.

~Juspar
  • 0

Advertisements


#2
Juspar

Juspar

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
This one morphed on me somehow - and got really vicious for a little while. Masive popup spam, installed a couple of programs that were posing as (I think they wre posing, I never ran them - but they kept popping up) anti spyware. One was spyquake, not sure the other.

I ran shredder by trend micro, and that must have found traces of nasties in some very important places, because after that I couldn't get the system to run. A windows XP repair helped, then a gammut of software cleaners including Ewido, S & D, Adaware, and Housecall - mostly in safe mode, fixed most problems.

The original issue still exists though, with occasional (maybe one every 30-60 mins) popups, most of which have an http://ad.oinadserver.com name in the window header. Also getting a popup that is NOT an IE wondow, doesn't show in my taskbar at all and says there are regustry errors and I should run "sysProtect".

For preference I use Firefox as my browser, but this work machine has IE installed as the defult browser due to work requirements.

Here's the current HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:27:23 PM, on 8/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgent.exe
C:\Program Files\DesktopAuthority\RaMaint.exe
C:\Program Files\DesktopAuthority\DesktopAuthority.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\SLClient.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\slagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\DesktopAuthority\ragui.exe
C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgentIcon.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\DOCUME~1\justinp\APPLIC~1\SCURIT~1\javaw.exe
C:\WINDOWS\system32\FNTS~1\NPDB~1.EXE
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\TEMP\idd52.tmp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\justinp\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [Desktop Authority GUI] C:\Program Files\DesktopAuthority\ragui.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [StartCounterSpyIconApp] C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgentIcon.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKCU\..\Run: [df588256.exe] C:\Documents and Settings\justinp\Local Settings\Application Data\df588256.exe
O4 - HKCU\..\Run: [Snte] "C:\DOCUME~1\justinp\APPLIC~1\SCURIT~1\javaw.exe" -vt yazr
O4 - HKCU\..\Run: [Bbkhj] C:\WINDOWS\system32\FNTS~1\NPDB~1.EXE
O4 - Startup: E-mail.lnk = ?
O4 - Startup: Track-It! 7.0 Technician Client.lnk = C:\Program Files\Numara Software\Track-It! 7.0\Technician Client\TIWin.exe
O4 - Startup: Windows Media Player.lnk = C:\Program Files\Windows Media Player\wmplayer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: setdhcpv4.vbs
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.state.nd.us
O15 - Trusted Zone: http://*.systemdoctor.com
O15 - Trusted Zone: http://*.will2
O15 - Trusted Zone: http://trackit.williamsnd.com
O15 - Trusted Zone: http://www.williamsnd.com
O15 - Trusted Zone: http://www.state.nd.us (HKLM)
O15 - Trusted Zone: http://*.will2 (HKLM)
O15 - Trusted Zone: http://trackit.williamsnd.com (HKLM)
O15 - Trusted Zone: http://www.williamsnd.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {576756A1-D97C-45D0-A945-0324019A131E} (BOSIActiveFormX Control) - http://trackit.willi...ActiveXGrid.cab
O16 - DPF: {6AF2E1A7-A16E-4503-A440-07CA49122CCE} (BOSIRichEditActiveX Control) - http://trackit.willi...MemoControl.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = co.williams.nd.us
O17 - HKLM\Software\..\Telephony: DomainName = co.williams.nd.us
O17 - HKLM\System\CCS\Services\Tcpip\..\{20260FCF-75BB-401D-BC03-2502D9E8D69E}: NameServer = 10.48.66.85,10.48.66.229
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = co.williams.nd.us
O17 - HKLM\System\CS1\Services\Tcpip\..\{20260FCF-75BB-401D-BC03-2502D9E8D69E}: NameServer = 10.48.66.85,10.48.66.229
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = co.williams.nd.us
O17 - HKLM\System\CS2\Services\Tcpip\..\{20260FCF-75BB-401D-BC03-2502D9E8D69E}: NameServer = 10.48.66.85,10.48.66.229
O20 - AppInit_DLLs: DAinit.dll
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINDOWS\system32\urroxtl.dll (file missing)
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: CounterSpyAgent - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgent.exe
O23 - Service: Desktop Authority Maintenance Service (DAMaint) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\RaMaint.exe
O23 - Service: Desktop Authority Service (DesktopAuthority) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\DesktopAuthority.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ScriptLogic Service (SLClient) - ScriptLogic Corporation - C:\WINDOWS\system32\SLClient.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
  • 0

#3
Ryan

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
Hi Juspar, welcome to geekstogo. I'm Ryan, and I'll be helping you fix your computer.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

-Ryan
  • 0

#4
Juspar

Juspar

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks Murph

Here's the Vundo log:

==================


VundoFix V6.0.0

Checking Java version...

Java version is 1.5.0.6

Scan started at 4:57:13 PM 8/16/2006

Listing files found while scanning....

C:\windows\system32\ddayv.dll
C:\windows\system32\vyadd.ini
C:\windows\system32\vyadd.bak1
C:\windows\system32\vyadd.bak2

Beginning removal...

Attempting to delete C:\windows\system32\ddayv.dll
C:\windows\system32\ddayv.dll Has been deleted!

Attempting to delete C:\windows\system32\vyadd.ini
C:\windows\system32\vyadd.ini Has been deleted!

Attempting to delete C:\windows\system32\vyadd.bak1
C:\windows\system32\vyadd.bak1 Has been deleted!

Attempting to delete C:\windows\system32\vyadd.bak2
C:\windows\system32\vyadd.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

==================


Here's the Hijack this log:

==================

Logfile of HijackThis v1.99.1
Scan saved at 5:05:09 PM, on 8/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgent.exe
C:\Program Files\DesktopAuthority\RaMaint.exe
C:\Program Files\DesktopAuthority\DesktopAuthority.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\SLClient.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\slagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\DesktopAuthority\ragui.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgentIcon.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\DOCUME~1\justinp\APPLIC~1\SCURIT~1\javaw.exe
C:\WINDOWS\system32\FNTS~1\NPDB~1.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\justinp\My Documents\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00311} - C:\WINDOWS\system32\compstuig.dll (file missing)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00322} - C:\WINDOWS\system32\compstuih.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [Desktop Authority GUI] C:\Program Files\DesktopAuthority\ragui.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [StartCounterSpyIconApp] C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgentIcon.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKCU\..\Run: [df588256.exe] C:\Documents and Settings\justinp\Local Settings\Application Data\df588256.exe
O4 - HKCU\..\Run: [Snte] "C:\DOCUME~1\justinp\APPLIC~1\SCURIT~1\javaw.exe" -vt yazr
O4 - HKCU\..\Run: [Bbkhj] C:\WINDOWS\system32\FNTS~1\NPDB~1.EXE
O4 - Startup: E-mail.lnk = ?
O4 - Startup: Track-It! 7.0 Technician Client.lnk = C:\Program Files\Numara Software\Track-It! 7.0\Technician Client\TIWin.exe
O4 - Startup: Windows Media Player.lnk = C:\Program Files\Windows Media Player\wmplayer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: setdhcpv4.vbs
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.state.nd.us
O15 - Trusted Zone: http://*.systemdoctor.com
O15 - Trusted Zone: http://*.will2
O15 - Trusted Zone: http://trackit.williamsnd.com
O15 - Trusted Zone: http://www.williamsnd.com
O15 - Trusted Zone: http://www.state.nd.us (HKLM)
O15 - Trusted Zone: http://*.will2 (HKLM)
O15 - Trusted Zone: http://trackit.williamsnd.com (HKLM)
O15 - Trusted Zone: http://www.williamsnd.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {576756A1-D97C-45D0-A945-0324019A131E} (BOSIActiveFormX Control) - http://trackit.willi...ActiveXGrid.cab
O16 - DPF: {6AF2E1A7-A16E-4503-A440-07CA49122CCE} (BOSIRichEditActiveX Control) - http://trackit.willi...MemoControl.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = co.williams.nd.us
O17 - HKLM\Software\..\Telephony: DomainName = co.williams.nd.us
O17 - HKLM\System\CCS\Services\Tcpip\..\{20260FCF-75BB-401D-BC03-2502D9E8D69E}: NameServer = 10.48.66.85,10.48.66.229
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = co.williams.nd.us
O17 - HKLM\System\CS1\Services\Tcpip\..\{20260FCF-75BB-401D-BC03-2502D9E8D69E}: NameServer = 10.48.66.85,10.48.66.229
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = co.williams.nd.us
O17 - HKLM\System\CS2\Services\Tcpip\..\{20260FCF-75BB-401D-BC03-2502D9E8D69E}: NameServer = 10.48.66.85,10.48.66.229
O20 - AppInit_DLLs: DAinit.dll
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g14068609.dll (file missing)
O20 - Winlogon Notify: clbcatex - C:\WINDOWS\system32\clbcatix.dll (file missing)
O20 - Winlogon Notify: h618 - C:\WINDOWS\g56919156.dll
O20 - Winlogon Notify: h619 - C:\WINDOWS\g69893890.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: winucv32 - C:\WINDOWS\SYSTEM32\winucv32.dll
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINDOWS\system32\urroxtl.dll (file missing)
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: CounterSpyAgent - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgent.exe
O23 - Service: Desktop Authority Maintenance Service (DAMaint) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\RaMaint.exe
O23 - Service: Desktop Authority Service (DesktopAuthority) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\DesktopAuthority.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ScriptLogic Service (SLClient) - ScriptLogic Corporation - C:\WINDOWS\system32\SLClient.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
  • 0

#5
Ryan

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
Download smitRem.exe ©noahdfear, and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop (in Internet Explorer, right click on Panda ActiveScan link select "Copy Shortcut" then right click on your desktop and select "Paste Shortcut" or in FireFox right-click the link and select "Save Link As" and save it to your desktop).

Please download the trial version of ewido anti-malware here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Close ewido anti-malware.

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.
  • Once you are on the Panda site click the Scan your PC button.
  • A new window will open...click the Check Now button.
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When the download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
Let us know if any problems persist.

-Ryan

Edited by rmurphy, 16 August 2006 - 04:28 PM.

  • 0

#6
Juspar

Juspar

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Ryan, thanks for your help.

I'll post here the logs I got - but the Panda scan seemed to crash once it was complete and I clicked on show report. I recall seeing it had located 42 malware and a few dialers, not sure what else. I'll search the HD for a report and add it if I can find it.

Interestingly - two new problems since I ran through these tests. I have a new toolbar int he IE window, a Mirar popup blocker, and I'm now getting popups in Firefox too.



Smitfiles.txt


smitRem © log file
version 3.1

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
"IE"="6.0000"
The current date is: Wed 08/16/2006
The current time is: 23:42:16.89

Running from
C:\Documents and Settings\justinp\My Documents\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{259BA022-2005-45E9-A965-10EDB9C00605}"="Windows Updater"
"{259BA022-2005-45E9-A965-10EDB9C00615}"="Windows Updater"
"{259BA022-2005-45E9-A965-10EDB9C00616}"="Windows Updater"
"{259BA022-2005-45E9-A965-10EDB9C00617}"="Windows Updater"
"{259BA022-2005-45E9-A965-10EDB9C00618}"="Windowz Updater"
"{259BA022-2005-45E9-A965-10EDB9C00620}"="Windows Updater"
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00311}"="z"
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00322}"="g322"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{259BA022-2005-45E9-A965-10EDB9C00605}\InProcServer32]
@="C:\WINDOWS\g14068609.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{259BA022-2005-45E9-A965-10EDB9C00618}\InProcServer32]
@="C:\WINDOWS\g56919156.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{259BA022-2005-45E9-A965-10EDB9C00620}\InProcServer32]
@="C:\WINDOWS\g69893890.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A4F94C0C-54A7-4DB1-9AF3-B22E63D00311}\InProcServer32]
@="C:\WINDOWS\system32\compstuig.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A4F94C0C-54A7-4DB1-9AF3-B22E63D00322}\InProcServer32]
@="C:\WINDOWS\g3172390.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!


checking for drsmartload2 key


drsmartload2 key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present
Trust Cleaner uninstaller NOT present
SpyHeal uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

ishost.exe
ismon.exe
amcompat.tlb
nscompat.tlb


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 848 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{259BA022-2005-45E9-A965-10EDB9C00605}"="Windows Updater"
"{259BA022-2005-45E9-A965-10EDB9C00615}"="Windows Updater"
"{259BA022-2005-45E9-A965-10EDB9C00616}"="Windows Updater"
"{259BA022-2005-45E9-A965-10EDB9C00617}"="Windows Updater"
"{259BA022-2005-45E9-A965-10EDB9C00618}"="Windowz Updater"
"{259BA022-2005-45E9-A965-10EDB9C00620}"="Windows Updater"
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00311}"="z"
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00322}"="g322"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{259BA022-2005-45E9-A965-10EDB9C00605}\InProcServer32]
@="C:\WINDOWS\g14068609.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{259BA022-2005-45E9-A965-10EDB9C00618}\InProcServer32]
@="C:\WINDOWS\g56919156.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{259BA022-2005-45E9-A965-10EDB9C00620}\InProcServer32]
@="C:\WINDOWS\g69893890.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A4F94C0C-54A7-4DB1-9AF3-B22E63D00311}\InProcServer32]
@="C:\WINDOWS\system32\compstuig.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A4F94C0C-54A7-4DB1-9AF3-B22E63D00322}\InProcServer32]
@="C:\WINDOWS\g3172390.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :whistling:

============================================

ewido Log

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:52:14 AM 8/17/2006

+ Scan result:



C:\Program Files\Sunbelt Software\CounterSpy\Agent\Quarantine\CA21D610-F491-4592-9022-60E2D9\B5FEFAFE-DA3F-433A-AC94-A6864D -> Adware.CommAd : Cleaned with backup (quarantined).
C:\Program Files\Sunbelt Software\CounterSpy\Agent\Quarantine\CA21D610-F491-4592-9022-60E2D9\CF8BC710-AB70-42EF-8E87-6D3598 -> Adware.CommAd : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\YazzleActiveX.ocx -> Adware.MediaTickets : Cleaned with backup (quarantined).
C:\WINDOWS\YAXUninst.exe -> Adware.MediaTickets : Cleaned with backup (quarantined).
C:\WINDOWS\system32\btpanuib.dll -> Adware.SmartSearch : Cleaned with backup (quarantined).
C:\Program Files\Sunbelt Software\CounterSpy\Agent\Quarantine\73920AA1-80CE-4389-974D-A6317E\D0F9A758-6C61-44C7-AE9D-C7D229 -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\yayvsts.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dmonwv.dll -> Downloader.Agent.agw : Cleaned with backup (quarantined).
C:\Documents and Settings\justinp\Local Settings\Application Data\df588256.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\WINDOWS\system32\df588256.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Y1123OA.exe -> Downloader.PurityScan.cq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\olwnb.dat -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
[1208] C:\WINDOWS\system32\pvikghn.dll -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
[1296] C:\WINDOWS\system32\pvikghn.dll -> Downloader.Qoologic.bj : Error during cleaning.
C:\WINDOWS\system32\alexa.exe -> Hijacker.Delf.eb : Cleaned with backup (quarantined).
:mozilla.116:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.117:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.44:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.47:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.48:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.49:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.36:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.37:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.39:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.119:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.46:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.86:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.87:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.88:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.89:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.90:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.91:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.92:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.93:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.94:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.95:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Documents and Settings\justinp\Cookies\[email protected][2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
:mozilla.77:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Cqcounter : Cleaned with backup (quarantined).
:mozilla.50:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.31:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.33:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.35:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.51:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned with backup (quarantined).
C:\Documents and Settings\justinp\Cookies\[email protected][2].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.82:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Paycounter : Cleaned with backup (quarantined).
C:\Documents and Settings\justinp\Cookies\[email protected][2].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.57:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.58:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.59:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.60:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.61:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.62:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.63:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.64:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
:mozilla.65:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
:mozilla.66:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
:mozilla.67:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
:mozilla.68:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
:mozilla.69:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
:mozilla.70:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
:mozilla.71:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
:mozilla.75:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup (quarantined).
C:\Documents and Settings\justinp\Cookies\[email protected][2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\justinp\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\justinp\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.45:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.121:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
:mozilla.40:C:\Documents and Settings\justinp\Application Data\Mozilla\Firefox\Profiles\o0nz4jvs.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\justinp\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\justinp\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\WINDOWS\unwn.exe -> Trojan.Qoologic : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{319B39DD-031E-1033-0214-060001}\Update.exe -> Trojan.Starter.65 : Cleaned with backup (quarantined).


::Report end

=======================================

hijackthis.log

Logfile of HijackThis v1.99.1
Scan saved at 8:12:29 AM, on 8/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgent.exe
C:\Program Files\DesktopAuthority\RaMaint.exe
C:\Program Files\DesktopAuthority\DesktopAuthority.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\SLClient.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\slagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\ismon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\DesktopAuthority\ragui.exe
C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgentIcon.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\system32\df588256.exe
C:\Program Files\Common Files\{319B39DD-06C0-1033-0214-060001}\Update.exe
C:\DOCUME~1\justinp\APPLIC~1\SCURIT~1\javaw.exe
C:\WINDOWS\system32\FNTS~1\NPDB~1.EXE
C:\WINDOWS\TEMP\iddC.tmp.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\TEMP\win440.tmp.exe
C:\Documents and Settings\justinp\My Documents\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\axyoo.exe
F2 - REG:system.ini: UserInit=userinit.exe,ktgryec.exe
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [Desktop Authority GUI] C:\Program Files\DesktopAuthority\ragui.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [StartCounterSpyIconApp] C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgentIcon.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [df588256.exe] C:\WINDOWS\system32\df588256.exe
O4 - HKCU\..\Run: [df588256.exe] C:\Documents and Settings\justinp\Local Settings\Application Data\df588256.exe
O4 - HKCU\..\Run: [Snte] "C:\DOCUME~1\justinp\APPLIC~1\SCURIT~1\javaw.exe" -vt yazr
O4 - HKCU\..\Run: [Bbkhj] C:\WINDOWS\system32\FNTS~1\NPDB~1.EXE
O4 - Startup: E-mail.lnk = ?
O4 - Startup: Track-It! 7.0 Technician Client.lnk = C:\Program Files\Numara Software\Track-It! 7.0\Technician Client\TIWin.exe
O4 - Startup: Windows Media Player.lnk = C:\Program Files\Windows Media Player\wmplayer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: setdhcpv4.vbs
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.amaena.com
O15 - Trusted Zone: http://www.state.nd.us
O15 - Trusted Zone: http://*.systemdoctor.com
O15 - Trusted Zone: http://*.will2
O15 - Trusted Zone: http://trackit.williamsnd.com
O15 - Trusted Zone: http://www.williamsnd.com
O15 - Trusted Zone: http://www.winantivirus.com
O15 - Trusted Zone: http://www.winantiviruspro.com
O15 - Trusted Zone: http://download.cdn.winsoftware.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: http://www.state.nd.us (HKLM)
O15 - Trusted Zone: http://*.will2 (HKLM)
O15 - Trusted Zone: http://trackit.williamsnd.com (HKLM)
O15 - Trusted Zone: http://www.williamsnd.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {576756A1-D97C-45D0-A945-0324019A131E} (BOSIActiveFormX Control) - http://trackit.willi...ActiveXGrid.cab
O16 - DPF: {6AF2E1A7-A16E-4503-A440-07CA49122CCE} (BOSIRichEditActiveX Control) - http://trackit.willi...MemoControl.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.....cab?refid=1123
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nu.../FIX/WinATS.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = co.williams.nd.us
O17 - HKLM\Software\..\Telephony: DomainName = co.williams.nd.us
O17 - HKLM\System\CCS\Services\Tcpip\..\{20260FCF-75BB-401D-BC03-2502D9E8D69E}: NameServer = 10.48.66.85,10.48.66.229
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = co.williams.nd.us
O17 - HKLM\System\CS1\Services\Tcpip\..\{20260FCF-75BB-401D-BC03-2502D9E8D69E}: NameServer = 10.48.66.85,10.48.66.229
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = co.williams.nd.us
O17 - HKLM\System\CS2\Services\Tcpip\..\{20260FCF-75BB-401D-BC03-2502D9E8D69E}: NameServer = 10.48.66.85,10.48.66.229
O20 - AppInit_DLLs: DAinit.dll
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: CounterSpyAgent - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgent.exe
O23 - Service: Desktop Authority Maintenance Service (DAMaint) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\RaMaint.exe
O23 - Service: Desktop Authority Service (DesktopAuthority) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\DesktopAuthority.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ScriptLogic Service (SLClient) - ScriptLogic Corporation - C:\WINDOWS\system32\SLClient.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

=================================================

I am VERY close to re-imaging this machine, it is less than two weeks old. Let me know if you think that would be for the best, this issue seems to just keep spiraling up.
  • 0

#7
Ryan

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
You can go ahead and reimage the machine if you'd like (just let me know). THere should only be one or two more steps though in trying to rid the machine of the malware.

The reason that new things are appearing is that some of the infections on the machine were employing rootkits to hid them, and it looks like ewido got rid of one of them, so now we see things that were there, but were hidden.

=========

You will want to print out a copy of these instructions to follow while you complete this procedure, as you will not be able to access the internet later in the fix.


Please download Qoofix by Rubber Ducky to your desktop.
  • Right click on the Qoofix folder, and choose "Extract All". Extract Qoofix to your C: drive
  • Close all windows and programs, including internet windows.
  • Go to C:\Qoofix and open the folder, then double click on Qoofix.exe
  • Click Begin Removal and wait for the scan to finish
  • If Qoofix finds an infection, select yes to restart your computer
  • You will now find a log from this tool, located at C:\Qoofix\Qoofix Logfile.txt Copy and paste the contents of that report into your next reply here.

Open HiJack This and scan. When it finishes, put an X in the box next to these following item(s)


R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\axyoo.exe
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll
O4 - HKLM\..\Run: [df588256.exe] C:\WINDOWS\system32\df588256.exe
O4 - HKCU\..\Run: [df588256.exe] C:\Documents and Settings\justinp\Local Settings\Application Data\df588256.exe
O4 - HKCU\..\Run: [Snte] "C:\DOCUME~1\justinp\APPLIC~1\SCURIT~1\javaw.exe" -vt yazr
O4 - HKCU\..\Run: [Bbkhj] C:\WINDOWS\system32\FNTS~1\NPDB~1.EXE
O15 - Trusted Zone: http://*.systemdoctor.com
O15 - Trusted Zone: http://www.winantiviruspro.com
O15 - Trusted Zone: http://download.cdn.winsoftware.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.....cab?refid=1123
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nu.../FIX/WinATS.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe



Close all open windows except for HiJack This and click fix checked.


Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).

In the Control Panel, go to Add/Remove Programs and remove the following programs (if found):

mirar
mytoolbar
yazzle
And any others that you did not install / don't know what they are

Delete the following files in bold (if found):
C:\Documents and Settings\justinp\Local Settings\Application Data\df588256.exe << This file
C:\WINDOWS\system32\axyoo.exe << This file
C:\WINDOWS\system32\df588256.exe << This file
C:\WINDOWS\system32\WinNB58.dll << This file

C:\Program Files\ToolBar888 << This folder

Careful with these next two...there may be two folders with similar names, but only one is the correct folder to delete
C:\WINDOWS\system32\FNTS~1 << This folder
C:\DOCUME~1\justinp\APPLIC~1\SCURIT~1 << This folder


Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. :whistling:

-Ryan
  • 0

#8
Juspar

Juspar

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Ryan, my sincere thanks to you and all the staff here.

I have re-imaged to ensure everything is clean on this one, I thouhgt it was beste based on the relative youth of the system.

Your knowledge and service are exceptional, I almost feel embarassed for not following throuhg with them.

Thanks again

~Juspar
  • 0

#9
Ryan

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
Do you have any other questions or concerns? This thread will be left open for a few more days, so feel free to ask.

-Ryan
  • 0

#10
Ryan

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP