Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HijackThis is not reading ssttt.dll file


  • Please log in to reply

#1
jahnetik

jahnetik

    Member

  • Member
  • PipPip
  • 10 posts
I have the pesky little file ssttt.dll running on my comp and I've tried everything to get rid of it. I've noticed when people post their HijackThis log, that file shows up if they have it. It will not pick it up for me, what's the deal? Below is my log:

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Aardvark\aardvark.exe
D:\WINDOWS\system32\cisvc.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\ZoneLabs\isafe.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\cidaemon.exe
D:\Documents and Settings\Jason Andrews\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://static.vpptec...results.html?s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=d:\windows\system32\userinit.exe
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] "D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O8 - Extra context menu item: &Search the Web - D:\WINDOWS\Web\Ers_src.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O10 - Broken Internet access because of LSP provider 'bmnet.dll' missing
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movi.../altpmtscab.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129575356531
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Aardvark Professional Audio Manager (aardvarkpm) - Aardvark Computer Systems, Inc. - D:\Program Files\Aardvark\aardvark.exe
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Unknown owner - D:\WINDOWS\System32\bmwebcfg.exe (file missing)
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - D:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - D:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)
O23 - Service: NTLOAD - Unknown owner - D:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe (file missing)
O23 - Service: NTSVCMGR - Unknown owner - D:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe (file missing)
O23 - Service: Pml Driver HPZ12 - Unknown owner - D:\WINDOWS\System32\HPZipm12.exe (file missing)
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - D:\Program Files\Remote Task Manager\RTMService.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi there :whistling:


Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Edited by loophole, 04 September 2006 - 06:34 PM.

  • 0

#3
jahnetik

jahnetik

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
It didn't even detect the ssttt.dll file, it detected some other one. Here's the log, the HijackThis log isn't any different from what it was. Is there any software that will run at reboot so maybe i could catch the ssttt.dll file before it loads with windows?


VundoFix V6.1.2

Checking Java version...

Scan started at 7:51:14 PM 9/4/2006

Listing files found while scanning....

D:\WINDOWS\system32\ddcbabb.dll

Beginning removal...

Attempting to delete D:\WINDOWS\system32\ddcbabb.dll
D:\WINDOWS\system32\ddcbabb.dll Has been deleted!

Performing Repairs to the registry.
Done!
  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

Rename hijackthis.exe to HJT.exe and rescan and post the log please
  • 0

#5
jahnetik

jahnetik

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
OK changing the name worked, it picked it up but it still won't delete anything. VundoFix won't delete it either because it says that's it's being used by another person or program. I can't end the process. Here's my log:

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\cmd.exe
D:\Documents and Settings\Jason Andrews\Desktop\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://static.vpptec...results.html?s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=d:\windows\system32\userinit.exe
O2 - BHO: (no name) - {73576F4D-69FE-4916-AD64-DFF86D24C371} - D:\WINDOWS\System32\ssttt.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] "D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O8 - Extra context menu item: &Search the Web - D:\WINDOWS\Web\Ers_src.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O10 - Broken Internet access because of LSP provider 'bmnet.dll' missing
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movi.../altpmtscab.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129575356531
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ssttt - D:\WINDOWS\System32\ssttt.dll
O20 - Winlogon Notify: winbue32 - D:\WINDOWS\SYSTEM32\winbue32.dll
O23 - Service: Aardvark Professional Audio Manager (aardvarkpm) - Aardvark Computer Systems, Inc. - D:\Program Files\Aardvark\aardvark.exe
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Unknown owner - D:\WINDOWS\System32\bmwebcfg.exe (file missing)
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - D:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - D:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)
O23 - Service: NTLOAD - Unknown owner - D:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe (file missing)
O23 - Service: NTSVCMGR - Unknown owner - D:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe (file missing)
O23 - Service: Pml Driver HPZ12 - Unknown owner - D:\WINDOWS\System32\HPZipm12.exe (file missing)
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - D:\Program Files\Remote Task Manager\RTMService.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#6
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
We can remove it but I need to see the header portion of your Hijack log. It shows ther os , version of IE etc. Can you please rescan and post a new log and include the header then we will remove it as well as the other bad file that is running.

Also since it didn't detect the file can you please have it submitted



Please go here to upload a suspicious file for analysis.
  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for this filename: D:\WINDOWS\System32\ssttt.dll in the first filename box
  • In the comments, please mention VF did not detect
  • Click on Send File

Edited by loophole, 05 September 2006 - 05:29 PM.

  • 0

#7
jahnetik

jahnetik

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
OK here's my full log. I also just uploaded the file. I use firefox instead of IE

Logfile of HijackThis v1.99.1
Scan saved at 12:48:56 PM, on 9/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\cmd.exe
D:\Documents and Settings\Jason Andrews\Desktop\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://static.vpptec...results.html?s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=d:\windows\system32\userinit.exe
O2 - BHO: (no name) - {73576F4D-69FE-4916-AD64-DFF86D24C371} - D:\WINDOWS\System32\ssttt.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] "D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O8 - Extra context menu item: &Search the Web - D:\WINDOWS\Web\Ers_src.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O10 - Broken Internet access because of LSP provider 'bmnet.dll' missing
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movi.../altpmtscab.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129575356531
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ssttt - D:\WINDOWS\System32\ssttt.dll
O20 - Winlogon Notify: winbue32 - D:\WINDOWS\SYSTEM32\winbue32.dll
O23 - Service: Aardvark Professional Audio Manager (aardvarkpm) - Aardvark Computer Systems, Inc. - D:\Program Files\Aardvark\aardvark.exe
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Unknown owner - D:\WINDOWS\System32\bmwebcfg.exe (file missing)
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - D:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - D:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)
O23 - Service: NTLOAD - Unknown owner - D:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe (file missing)
O23 - Service: NTSVCMGR - Unknown owner - D:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe (file missing)
O23 - Service: Pml Driver HPZ12 - Unknown owner - D:\WINDOWS\System32\HPZipm12.exe (file missing)
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - D:\Program Files\Remote Task Manager\RTMService.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#8
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Please open Notepad, and copy/paste the code in the white box below into a new text file. Save it as "delete.bat" WITH THE QUOTES and save it on your Desktop.

@echo off
sc stop NTBOOT
sc stop NTSVCMGR
sc stop NTLOAD
sc delete NTBOOT
sc delete NTSVCMGR
sc delete  NTLOAD
quit

after saving as instructed above, please close notepad. You will now have a file on your desktop called delete.bat. Please double click it


1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
D:\WINDOWS\System32\ssttt.dll
D:\WINDOWS\SYSTEM32\winbue32.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

Thanks

Edited by loophole, 05 September 2006 - 05:49 PM.

  • 0

#9
jahnetik

jahnetik

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thanks so much, it worked!!!!!!!!!!!!!

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\bailneqc

*******************

Script file located at: \??\D:\WINDOWS\awgmkeuc.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at D:\Avenger

*******************

Beginning to process script file:

File D:\WINDOWS\System32\ssttt.dll deleted successfully.
File D:\WINDOWS\SYSTEM32\winbue32.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

------------------------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:11:35 PM, on 9/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Aardvark\aardvark.exe
D:\WINDOWS\system32\cisvc.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\WINDOWS\System32\ZoneLabs\isafe.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Documents and Settings\Jason Andrews\Desktop\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://static.vpptec...results.html?s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=d:\windows\system32\userinit.exe
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] "D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O8 - Extra context menu item: &Search the Web - D:\WINDOWS\Web\Ers_src.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O10 - Broken Internet access because of LSP provider 'bmnet.dll' missing
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movi.../altpmtscab.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129575356531
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ssttt - D:\WINDOWS\System32\ssttt.dll (file missing)
O20 - Winlogon Notify: winbue32 - winbue32.dll (file missing)
O23 - Service: Aardvark Professional Audio Manager (aardvarkpm) - Aardvark Computer Systems, Inc. - D:\Program Files\Aardvark\aardvark.exe
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Unknown owner - D:\WINDOWS\System32\bmwebcfg.exe (file missing)
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - D:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - D:\WINDOWS\System32\HPZipm12.exe (file missing)
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - D:\Program Files\Remote Task Manager\RTMService.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#10
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi again

Please run a scan with HijackThis and check the following lines for removal:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movi.../altpmtscab.cab
O20 - Winlogon Notify: ssttt - D:\WINDOWS\System32\ssttt.dll (file missing)
O20 - Winlogon Notify: winbue32 - winbue32.dll (file missing)

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.



Your Java is way out of date:


1. Update Java and Remove old Java Versions
  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 8.<== scroll down the list to find THIS entry
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Remove older Java Versions:
  • Close any programs you may have running - especially your web browser.
  • Go to Start >> Control Panel double-click on Add/Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
Install latest Java Version:
  • From your desktop, double-click on jre-1_5_0_08-windows-i586-p to install the newest version.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

  • 0

Advertisements


#11
jahnetik

jahnetik

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Here they are, I can't believe adaware or spybot didn't pick these up:


Incident Status Location

Adware:adware/securityerror Not disinfected d:\windows\system32\ot.ico
Adware:adware/tvmedia Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\tvmcwrd.dll
Adware:adware/ist.istbar Not disinfected d:\program files\common files\Totem Shared
Adware:adware/lop Not disinfected D:\Documents and Settings\Jason Andrews\Favorites\ Dating
Adware:adware/cws Not disinfected Windows Registry
Adware:adware/stickypops Not disinfected Windows Registry
Adware:adware/powerstrip Not disinfected Windows Registry
Adware:adware/searchexe Not disinfected Windows Registry
Adware:Adware/SuperSpider Not disinfected D:\avenger\backup.zip[avenger/winbue32.dll]
Hacktool:HackTool/Disilitra.B Not disinfected D:\Documents and Settings\All Users.WINDOWS\Application Data\SecTaskMan\ntsrv.exe.q_DFC4200_q.old
Adware:Adware/PurityScan Not disinfected D:\Documents and Settings\All Users.WINDOWS\Application Data\SecTaskMan\uetp.exe.q_806E01_q
Hacktool:Exploit/ByteVerify Not disinfected D:\Documents and Settings\Jason Andrews\.jpi_cache\jar\1.0\arr3.jar-53b20017-4a0b47c0.zip[Gummy.class]
Hacktool:Exploit/ByteVerify Not disinfected D:\Documents and Settings\Jason Andrews\.jpi_cache\jar\1.0\arr3.jar-53b20017-4a0b47c0.zip[Counter.class]
Hacktool:Exploit/ByteVerify Not disinfected D:\Documents and Settings\Jason Andrews\.jpi_cache\jar\1.0\arr3.jar-53b20017-4a0b47c0.zip[VerifierBug.class]
Virus:Trj/Classloader.AD Disinfected D:\Documents and Settings\Jason Andrews\.jpi_cache\jar\1.0\arr3.jar-53b20017-4a0b47c0.zip[Beyond.class]
Spyware:Cookie/YieldManager Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Advnt Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[www.advnt01.com/]
Spyware:Cookie/YieldManager Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/WUpd Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[.revenue.net/]
Spyware:Cookie/Statcounter Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[.statcounter.com/]
Spyware:Cookie/bravenetA Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[.bravenet.com/]
Spyware:Cookie/Apmebf Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[.apmebf.com/]
Spyware:Cookie/onestat.com Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[stat.onestat.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/onestat.com Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[stat.onestat.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[server.iad.liveperson.net/hc/91338698]
Spyware:Cookie/Casalemedia Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Screensavers Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[.i.screensavers.com/]
Spyware:Cookie/DriveCleaner Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[.drivecleaner.com/]
Spyware:Cookie/DriveCleaner Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[stats.drivecleaner.com/]
Spyware:Cookie/Xiti Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[.xiti.com/]
Spyware:Cookie/myaffiliateprogram Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[www.myaffiliateprogram.com/]
Spyware:Cookie/Toplist Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[.toplist.cz/]
Spyware:Cookie/Maxserving Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[.maxserving.com/]
Spyware:Cookie/RealMedia Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[.realmedia.com/]
Spyware:Cookie/adultfriendfinder Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Yadro Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[.yadro.ru/]
Spyware:Cookie/Com.com Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[.com.com/]
Spyware:Cookie/Adrevolver Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[server.iad.liveperson.net/hc/46380522]
Spyware:Cookie/Enhance Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[c.enhance.com/]
Spyware:Cookie/Hbmediapro Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[server.iad.liveperson.net/hc/15527479]
Spyware:Cookie/FortuneCity Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[.fortunecity.com/]
Spyware:Cookie/BurstBeacon Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Zedo Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[.zedo.com/]
Spyware:Cookie/DomainSponsor Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/Falkag Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Clickbank Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[.clickbank.net/]
Spyware:Cookie/Serving-sys Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Searchportal Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Reliablestats Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/Versiontracker Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[.versiontracker.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[server.iad.liveperson.net/hc/76560009]
Spyware:Cookie/Go Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[.go.com/]
Spyware:Cookie/Com.com Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Mozilla\Firefox\Profiles\default.xon\cookies.txt[ad.sensismediasmart.com.au/]
Spyware:Cookie/Com.com Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Thunderbird\Profiles\tv0oq3i9.default\cookies.txt[.com.com/]
Spyware:Cookie/Doubleclick Not disinfected D:\Documents and Settings\Jason Andrews\Application Data\Thunderbird\Profiles\tv0oq3i9.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/YieldManager Not disinfected D:\Documents and Settings\Jason Andrews\Cookies\jason [email protected][1].txt
Spyware:Cookie/Apmebf Not disinfected D:\Documents and Settings\Jason Andrews\Cookies\jason [email protected][2].txt
Spyware:Cookie/nCase Not disinfected D:\Documents and Settings\Jason Andrews\Cookies\jason [email protected][1].txt
Spyware:Cookie/Bluestreak Not disinfected D:\Documents and Settings\Jason Andrews\Cookies\jason [email protected][1].txt
Spyware:Cookie/DriveCleaner Not disinfected D:\Documents and Settings\Jason Andrews\Cookies\jason [email protected][1].txt
Spyware:Cookie/Screensavers Not disinfected D:\Documents and Settings\Jason Andrews\Cookies\jason [email protected][1].txt
Spyware:Cookie/Mediaplex Not disinfected D:\Documents and Settings\Jason Andrews\Cookies\jason [email protected][1].txt
Spyware:Cookie/Overture Not disinfected D:\Documents and Settings\Jason Andrews\Cookies\jason [email protected][1].txt
Spyware:Cookie/Statcounter Not disinfected D:\Documents and Settings\Jason Andrews\Cookies\jason [email protected][1].txt
Spyware:Cookie/Reliablestats Not disinfected D:\Documents and Settings\Jason Andrews\Cookies\jason [email protected][2].txt
Spyware:Cookie/Mammamediasolutions Not disinfected D:\Documents and Settings\Jason Andrews\Cookies\jason [email protected][1].txt
Adware:Adware/TVMedia Not disinfected D:\Documents and Settings\Jason Andrews\Desktop\Apps\backups\backup-20060906-202003-540.inf
Potentially unwanted tool:Application/Processor Not disinfected D:\Documents and Settings\Jason Andrews\Desktop\Apps\VundoFix\VundoFix\process.exe
Adware:Adware/DollarRevenue Not disinfected D:\Documents and Settings\Jason Andrews\Local Settings\Temp\b122.exe[mc-0-0-0.exe][²ÜÇ\nsProcess.dll]
Adware:Adware/PCodec Not disinfected D:\Documents and Settings\Jason Andrews\Local Settings\Temp\b122.exe[²ÜÇ\nsRandom.dll]
Adware:Adware/DollarRevenue Not disinfected D:\Documents and Settings\Jason Andrews\Local Settings\Temp\nsc10.tmp\nsProcess.dll
Adware:Adware/DollarRevenue Not disinfected D:\Documents and Settings\Jason Andrews\Local Settings\Temp\nsp60.tmp\nsProcess.dll
Adware:Adware/DollarRevenue Not disinfected D:\Documents and Settings\Jason Andrews\Local Settings\Temp\nsw4A.tmp\nsProcess.dll
Potentially unwanted tool:Application/SpywareQuake Not disinfected D:\Documents and Settings\Jason Andrews\Local Settings\Temp\sa58.exe[Spy-Quake2.exe]
Adware:Adware/Maxifiles Not disinfected D:\Documents and Settings\Jason Andrews\Local Settings\Temp\win46.tmp.exe
Adware:Adware/DollarRevenue Not disinfected D:\Documents and Settings\Jason Andrews\Local Settings\Temporary Internet Files\Content.IE5\OZQF2921\loader[1].exe
Spyware:Spyware/Virtumonde Not disinfected D:\Documents and Settings\Jason Andrews\Local Settings\Temporary Internet Files\Content.IE5\S1SX23GT\anti4[1].exe
Adware:Adware/DollarRevenue Not disinfected D:\Documents and Settings\Jason Andrews\Local Settings\Temporary Internet Files\Content.IE5\V35ZRX08\122[1].net[mc-0-0-0.exe][²ÜÇ\nsProcess.dll]
Adware:Adware/PCodec Not disinfected D:\Documents and Settings\Jason Andrews\Local Settings\Temporary Internet Files\Content.IE5\V35ZRX08\122[1].net[²ÜÇ\nsRandom.dll]
Adware:Adware/Maxifiles Not disinfected D:\Documents and Settings\Jason Andrews\Local Settings\Temporary Internet Files\Content.IE5\V35ZRX08\wlzip32[1].exe
Adware:Adware/IST.ISTBar Not disinfected D:\Documents and Settings\Jason Andrews\SVCHOST.0XE
Potentially unwanted tool:Application/Zango Not disinfected D:\Program Files\Mozilla Firefox\plugins\npclntax.dll
Spyware:Spyware/Virtumonde Not disinfected D:\VundoFix Backups\ddcbabb.dll
Adware:Adware/TVMedia Not disinfected D:\WINDOWS\Downloaded Program Files\APInstall_Tiny.dll
Adware:Adware/SAHAgent Not disinfected D:\WINDOWS\inf\bi8.inf
Adware:Adware/DigInk Not disinfected D:\WINDOWS\srvfkgdrwp.exe
Adware:Adware/Veevo Not disinfected D:\WINDOWS\system32\kdpupd.dll

---------------------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:23:13 PM, on 9/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Aardvark\aardvark.exe
D:\WINDOWS\system32\cisvc.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\ZoneLabs\isafe.exe
D:\WINDOWS\system32\cidaemon.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Jason Andrews\Desktop\Apps\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
F2 - REG:system.ini: UserInit=d:\windows\system32\userinit.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] "D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O8 - Extra context menu item: &Search the Web - D:\WINDOWS\Web\Ers_src.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O10 - Broken Internet access because of LSP provider 'bmnet.dll' missing
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129575356531
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Aardvark Professional Audio Manager (aardvarkpm) - Aardvark Computer Systems, Inc. - D:\Program Files\Aardvark\aardvark.exe
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Unknown owner - D:\WINDOWS\System32\bmwebcfg.exe (file missing)
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - D:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - D:\WINDOWS\System32\HPZipm12.exe (file missing)
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - D:\Program Files\Remote Task Manager\RTMService.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#12
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

Adaware and spybot aren't as powerful as they once were especially against the newer malware

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Delete these two folder:

D:\VundoFix Backups
D:\avenger

Delete this out of your favorites
Dating


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    D:\Documents and Settings\Jason Andrews\Application Data\tvmcwrd.dll

    D:\WINDOWS\Downloaded Program Files\APInstall_Tiny.dll
    D:\WINDOWS\inf\bi8.inf
    D:\WINDOWS\srvfkgdrwp.exe
    D:\WINDOWS\system32\kdpupd.dll
    d:\program files\common files\Totem Shared
    d:\windows\system32\ot.ico
    D:\Documents and Settings\Jason Andrews\SVCHOST.0XE
    D:\Program Files\Mozilla Firefox\plugins\npclntax.dll




  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


How is everything running?
  • 0

#13
jahnetik

jahnetik

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
This is interesting. After I did all you said I still had some pesky pop ups happening. Since all this malware got into my comp a couple days ago, I noticed that the picture on my desktop looked all pixelated, I knew it had to do with the malware and my active desktop. Anyways I checked Properties-->Desktop-->Customize Desktop-->Web and low and behold, there were two html files running in the list. I deleted them and the desktop picture went back to normal.

Since then I haven't had any pop ups. I guess the malware was running through the active desktop. You can pass this on to users if you want.


Thanks very much for your help
jason
  • 0

#14
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hmm.. Yes they have been doing that for awhile but I didn't see it in any of the logs.

Can you do this for me, it only takes a few seconds, just dont select option 2

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

Edited by loophole, 07 September 2006 - 08:58 PM.

  • 0

#15
jahnetik

jahnetik

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
SmitFraudFix v2.84

Scan done at 22:36:30.07, Thu 09/07/2006
Run from D:\Documents and Settings\Jason Andrews\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» D:\


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS

D:\WINDOWS\ads.js FOUND !
D:\WINDOWS\local.html FOUND !
D:\WINDOWS\removeadware.ico FOUND !
D:\WINDOWS\videoslots.ico FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» D:\Documents and Settings\Jason Andrews\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

D:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Online Security Guide.url FOUND !
D:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» D:\DOCUME~1\JASONA~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» D:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP