Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Alrighty, had popups for about a week and could use advice.


  • Please log in to reply

#1
DPsx7

DPsx7

    New Member

  • Member
  • Pip
  • 9 posts
Ok, I'll keep this quick since the logs add up fast. Last week I was viewing some page and I think it was a popup that began all my trouble. Totally blasted me with various things. I mean LOTS of [bleep]. Over the last week I've run plenty of scans and removal tools yet this has yet to be fully removed. I believe I've knocked out a large portion of it, at least my PC will shut down and run a little quicker. I've used Vundofix, VirtumundoBeGone, CWShredder, and Trojanhunter, plus multiple online scans such as Ewido, McAffe and Bitdefender. Some things find problems, many come back clean. (The ones that find stuff never do anything about it...) A few scanners (Ad-Aware, Spyware Doctor, and Spybot S&D) run really slow. I've tried getting rid of it all myself as I've done in the past, but this one overwhelmed me and still isn't gone. Any advice would be appreciated. Here's my recent Hijackthis, VBG, and Spyware Doctor logs. Thanks.
------------
Logfile of HijackThis v1.99.1
Scan saved at 3:47:39 PM, on 10/1/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
D:\Program Files\Ewido AS 4.0\guard.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\Program Files\TrojanHunter 4.6\THGuard.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE
D:\Downloads\Repair Tools\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lanarchy.org/web2/html/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {6BBC4C44-90B8-503B-149A-0151397244E5} - C:\WINNT\system32\jsrbcu.dll (file missing)
O2 - BHO: (no name) - {739C352C-CAF9-D13A-CBC1-034A2F8881B4} - C:\WINNT\system32\fastsz.dll (file missing)
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINNT\system32\nsd57.dll (file missing)
O2 - BHO: C:\WINNT\system32\251BE0.dll - {855875B5-93F3-429D-FF34-660B206D897C} - C:\WINNT\system32\251BE0.dll (file missing)
O2 - BHO: (no name) - {A78CC8FE-234D-2FC9-4574-5CF077C66B9A} - C:\WINNT\system32\grmwehta.dll (file missing)
O2 - BHO: (no name) - {AC8E0070-7011-4A14-B59E-BDC0A1D27370} - C:\WINNT\system32\sstqr.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINNT\system32\jlsusadg.dll (file missing)
O2 - BHO: (no name) - {F3D091FD-244C-789B-4174-5CF077C66893} - C:\WINNT\system32\nyh.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINNT\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [np] c:\winnt\system32\upnp.exe
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [Ncuw] "C:\WINNT\system32\ASKS~1\svchost.exe" -vt ndrv
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: http://www3.ca.com
O15 - Trusted Zone: http://usa.kaspersky.com
O15 - Trusted Zone: http://us.mcafee.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://www.trendmicro.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - http://www.worldwinn...gsaw/jigsaw.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinn...d/bejeweled.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinn...ll/freecell.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...861/mcfscan.cab
O20 - Winlogon Notify: IPConfMSP - C:\WINNT\system32\hr2o05f3e.dll (file missing)
O20 - Winlogon Notify: sstqr - C:\WINNT\system32\sstqr.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\Ewido AS 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe



[10/01/2006, 15:33:22] - VirtumundoBeGone v1.5 ( "D:\Downloads\Repair Tools\VirtumundoBeGone.exe" )
[10/01/2006, 15:33:23] - Detected System Information:
[10/01/2006, 15:33:23] - Windows Version: 5.0.2195, Service Pack 4
[10/01/2006, 15:33:23] - Current Username: Administrator (Admin)
[10/01/2006, 15:33:23] - Windows is in NORMAL mode.
[10/01/2006, 15:33:23] - Searching for Browser Helper Objects:
[10/01/2006, 15:33:23] - BHO 1: {53707962-6F74-2D53-2644-206D7942484F} ()
[10/01/2006, 15:33:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:23] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[10/01/2006, 15:33:23] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[10/01/2006, 15:33:23] - BHO 2: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[10/01/2006, 15:33:23] - BHO 3: {6BBC4C44-90B8-503B-149A-0151397244E5} ()
[10/01/2006, 15:33:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:23] - Checking for HKLM\...\Winlogon\Notify\jsrbcu
[10/01/2006, 15:33:23] - Key not found: HKLM\...\Winlogon\Notify\jsrbcu, continuing.
[10/01/2006, 15:33:23] - BHO 4: {739C352C-CAF9-D13A-CBC1-034A2F8881B4} ()
[10/01/2006, 15:33:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:23] - Checking for HKLM\...\Winlogon\Notify\fastsz
[10/01/2006, 15:33:23] - Key not found: HKLM\...\Winlogon\Notify\fastsz, continuing.
[10/01/2006, 15:33:23] - BHO 5: {746455FE-D059-47e7-AF0E-140E03F5A447} (SSL encrypt)
[10/01/2006, 15:33:23] - BHO 6: {855875B5-93F3-429D-FF34-660B206D897C} (C:\WINNT\system32\251BE0.dll)
[10/01/2006, 15:33:23] - BHO 7: {8DDB60B7-F83B-4CC5-84A8-DC63F2CB51AC} ()
[10/01/2006, 15:33:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:23] - Checking for HKLM\...\Winlogon\Notify\sstqr
[10/01/2006, 15:33:23] - Found: HKLM\...\Winlogon\Notify\sstqr - This is probably Virtumundo.
[10/01/2006, 15:33:23] - Assigning {8DDB60B7-F83B-4CC5-84A8-DC63F2CB51AC} MSEvents Object
[10/01/2006, 15:33:23] - BHO list has been changed! Starting over...
[10/01/2006, 15:33:23] - BHO 1: {53707962-6F74-2D53-2644-206D7942484F} ()
[10/01/2006, 15:33:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:23] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[10/01/2006, 15:33:23] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[10/01/2006, 15:33:23] - BHO 2: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[10/01/2006, 15:33:23] - BHO 3: {6BBC4C44-90B8-503B-149A-0151397244E5} ()
[10/01/2006, 15:33:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:23] - Checking for HKLM\...\Winlogon\Notify\jsrbcu
[10/01/2006, 15:33:23] - Key not found: HKLM\...\Winlogon\Notify\jsrbcu, continuing.
[10/01/2006, 15:33:23] - BHO 4: {739C352C-CAF9-D13A-CBC1-034A2F8881B4} ()
[10/01/2006, 15:33:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:23] - Checking for HKLM\...\Winlogon\Notify\fastsz
[10/01/2006, 15:33:23] - Key not found: HKLM\...\Winlogon\Notify\fastsz, continuing.
[10/01/2006, 15:33:23] - BHO 5: {746455FE-D059-47e7-AF0E-140E03F5A447} (SSL encrypt)
[10/01/2006, 15:33:23] - BHO 6: {855875B5-93F3-429D-FF34-660B206D897C} (C:\WINNT\system32\251BE0.dll)
[10/01/2006, 15:33:23] - BHO 7: {8DDB60B7-F83B-4CC5-84A8-DC63F2CB51AC} (MSEvents Object)
[10/01/2006, 15:33:23] - ALERT: Found MSEvents Object!
[10/01/2006, 15:33:23] - BHO 8: {A78CC8FE-234D-2FC9-4574-5CF077C66B9A} ()
[10/01/2006, 15:33:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:23] - Checking for HKLM\...\Winlogon\Notify\grmwehta
[10/01/2006, 15:33:23] - Key not found: HKLM\...\Winlogon\Notify\grmwehta, continuing.
[10/01/2006, 15:33:23] - BHO 9: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[10/01/2006, 15:33:23] - BHO 10: {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} ()
[10/01/2006, 15:33:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:23] - Checking for HKLM\...\Winlogon\Notify\jlsusadg
[10/01/2006, 15:33:23] - Key not found: HKLM\...\Winlogon\Notify\jlsusadg, continuing.
[10/01/2006, 15:33:23] - BHO 11: {F3D091FD-244C-789B-4174-5CF077C66893} ()
[10/01/2006, 15:33:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:23] - Checking for HKLM\...\Winlogon\Notify\nyh
[10/01/2006, 15:33:23] - Key not found: HKLM\...\Winlogon\Notify\nyh, continuing.
[10/01/2006, 15:33:23] - Finished Searching Browser Helper Objects
[10/01/2006, 15:33:23] - *** Detected MSEvents Object
[10/01/2006, 15:33:23] - Trying to remove MSEvents Object...
[10/01/2006, 15:33:24] - Terminating Process: IEXPLORE.EXE
[10/01/2006, 15:33:24] - Terminating Process: RUNDLL32.EXE
[10/01/2006, 15:33:24] - Disabling Automatic Shell Restart
[10/01/2006, 15:33:24] - Terminating Process: EXPLORER.EXE
[10/01/2006, 15:33:24] - Suspending the NT Session Manager System Service
[10/01/2006, 15:33:25] - Terminating Windows NT Logon/Logoff Manager
[10/01/2006, 15:33:25] - Re-enabling Automatic Shell Restart
[10/01/2006, 15:33:25] - File to disable: C:\WINNT\system32\sstqr.dll
[10/01/2006, 15:33:25] - Renaming C:\WINNT\system32\sstqr.dll -> C:\WINNT\system32\sstqr.dll.vir
[10/01/2006, 15:33:25] - ! File rename was unsucessful.
[10/01/2006, 15:33:25] - Attempting to Deny Access to C:\WINNT\system32\sstqr.dll
[10/01/2006, 15:33:25] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[10/01/2006, 15:33:25] - processed file: C:\WINNT\system32\sstqr.dll

[10/01/2006, 15:33:25] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[10/01/2006, 15:33:25] - Removing HKLM\...\Browser Helper Objects\{8DDB60B7-F83B-4CC5-84A8-DC63F2CB51AC}
[10/01/2006, 15:33:25] - Removing HKCR\CLSID\{8DDB60B7-F83B-4CC5-84A8-DC63F2CB51AC}
[10/01/2006, 15:33:25] - Adding Kill Bit for ActiveX for GUID: {8DDB60B7-F83B-4CC5-84A8-DC63F2CB51AC}
[10/01/2006, 15:33:26] - Deleting ATLEvents/MSEvents Registry entries
[10/01/2006, 15:33:26] - Removing HKLM\...\Winlogon\Notify\sstqr
[10/01/2006, 15:33:26] - Searching for Browser Helper Objects:
[10/01/2006, 15:33:26] - BHO 1: {53707962-6F74-2D53-2644-206D7942484F} ()
[10/01/2006, 15:33:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:26] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[10/01/2006, 15:33:26] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[10/01/2006, 15:33:26] - BHO 2: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[10/01/2006, 15:33:26] - BHO 3: {6BBC4C44-90B8-503B-149A-0151397244E5} ()
[10/01/2006, 15:33:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:26] - Checking for HKLM\...\Winlogon\Notify\jsrbcu
[10/01/2006, 15:33:26] - Key not found: HKLM\...\Winlogon\Notify\jsrbcu, continuing.
[10/01/2006, 15:33:26] - BHO 4: {739C352C-CAF9-D13A-CBC1-034A2F8881B4} ()
[10/01/2006, 15:33:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:26] - Checking for HKLM\...\Winlogon\Notify\fastsz
[10/01/2006, 15:33:26] - Key not found: HKLM\...\Winlogon\Notify\fastsz, continuing.
[10/01/2006, 15:33:26] - BHO 5: {746455FE-D059-47e7-AF0E-140E03F5A447} (SSL encrypt)
[10/01/2006, 15:33:26] - BHO 6: {855875B5-93F3-429D-FF34-660B206D897C} (C:\WINNT\system32\251BE0.dll)
[10/01/2006, 15:33:26] - BHO 7: {8DDB60B7-F83B-4CC5-84A8-DC63F2CB51AC} ()
[10/01/2006, 15:33:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:26] - Checking for HKLM\...\Winlogon\Notify\sstqr
[10/01/2006, 15:33:26] - Key not found: HKLM\...\Winlogon\Notify\sstqr, continuing.
[10/01/2006, 15:33:26] - BHO 8: {A78CC8FE-234D-2FC9-4574-5CF077C66B9A} ()
[10/01/2006, 15:33:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:26] - Checking for HKLM\...\Winlogon\Notify\grmwehta
[10/01/2006, 15:33:26] - Key not found: HKLM\...\Winlogon\Notify\grmwehta, continuing.
[10/01/2006, 15:33:26] - BHO 9: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[10/01/2006, 15:33:26] - BHO 10: {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} ()
[10/01/2006, 15:33:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:26] - Checking for HKLM\...\Winlogon\Notify\jlsusadg
[10/01/2006, 15:33:26] - Key not found: HKLM\...\Winlogon\Notify\jlsusadg, continuing.
[10/01/2006, 15:33:26] - BHO 11: {F3D091FD-244C-789B-4174-5CF077C66893} ()
[10/01/2006, 15:33:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:26] - Checking for HKLM\...\Winlogon\Notify\nyh
[10/01/2006, 15:33:26] - Key not found: HKLM\...\Winlogon\Notify\nyh, continuing.
[10/01/2006, 15:33:26] - Finished Searching Browser Helper Objects
[10/01/2006, 15:33:26] - Finishing up...
[10/01/2006, 15:33:26] - A restart is needed.
[10/01/2006, 15:33:27] - Attempting to Restart via STOP error (Blue Screen!)


Scan Results:
scan start: 10/1/2006 4:35:20 PM
scan stop: 10/1/2006 5:17:30 PM
scanned items: 51719
found items: 124
found and ignored: 0
tools used: General Scanner, Process Scanner, Registry Scanner, Startup Scanner, Browser Scanner, Browser Activity Scanner, LSP Scanner, Disk Scanner, ActiveX Scanner



Infection Name Location Risk
Common Components Unrelated C:\Documents and Settings\All Users\Documents\Settings\desktop.ini Medium
MediaTickets C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe Elevated
MediaTickets C:\Program Files\Common Files\Yazzle1438OinUninstaller.exe Elevated
MediaTickets C:\Program Files\Common Files\Yazzle1440OinUninstaller.exe Elevated
MediaTickets C:\Program Files\Common Files\Yazzle1452OinUninstaller.exe Elevated
I-Search Desktop Search Toolbar C:\WINNT\RFBzeDc\lI1WyGw.vbs Elevated
Virtumonde C:\WINNT\system32\sstqr.dll Elevated
Virtumonde Explorer.EXE (C:\WINNT\system32\sstqr.dll) Elevated
Backdoor.Agent.CFC HKCR\CLSID\{855875B5-93F3-429D-FF34-660B206D897C} High
Backdoor.Agent.CFC HKCR\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}## High
Backdoor.Agent.CFC HKCR\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}##ThreadingModel High
Backdoor.Agent.CFC HKCR\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}\InProcServer32 High
Backdoor.Agent.CFC HKCR\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}\InProcServer32## High
Backdoor.Agent.CFC HKCR\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}\InProcServer32##ThreadingModel High
Virtumonde HKCR\CLSID\{AC8E0070-7011-4A14-B59E-BDC0A1D27370} Elevated
Virtumonde HKCR\CLSID\{AC8E0070-7011-4A14-B59E-BDC0A1D27370}## Elevated
Virtumonde HKCR\CLSID\{AC8E0070-7011-4A14-B59E-BDC0A1D27370}\InprocServer32 Elevated
Virtumonde HKCR\CLSID\{AC8E0070-7011-4A14-B59E-BDC0A1D27370}\InprocServer32## Elevated
Virtumonde HKCR\CLSID\{AC8E0070-7011-4A14-B59E-BDC0A1D27370}\InprocServer32##ThreadingModel Elevated
Maxifiles HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run##{78BEFE2C-08A3-1033-0727-050606050001} High
PurityScan HKCU\Software\PSCloner High
PurityScan HKCU\Software\PSCloner## High
Common Components for Trojans HKCU\Software\unker Medium
Common Components for Trojans HKCU\Software\unker## Medium
Common Components for Trojans HKCU\Software\unker\upnp Medium
Common Components for Trojans HKCU\Software\unker\upnp## Medium
Common Components for Trojans HKCU\Software\unker\upnp\main Medium
Common Components for Trojans HKCU\Software\unker\upnp\main## Medium
Common Components for Trojans HKCU\Software\unker\upnp\main##cid Medium
Backdoor.Agent.CFC HKLM\Software\Classes\CLSID\{855875B5-93F3-429D-FF34-660B206D897C} High
Backdoor.Agent.CFC HKLM\Software\Classes\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}## High
Backdoor.Agent.CFC HKLM\Software\Classes\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}##ThreadingModel High
Backdoor.Agent.CFC HKLM\Software\Classes\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}\InProcServer32 High
Backdoor.Agent.CFC HKLM\Software\Classes\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}\InProcServer32## High
Backdoor.Agent.CFC HKLM\Software\Classes\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}\InProcServer32##ThreadingModel High
Virtumonde HKLM\Software\Classes\CLSID\{AC8E0070-7011-4A14-B59E-BDC0A1D27370} Elevated
Virtumonde HKLM\Software\Classes\CLSID\{AC8E0070-7011-4A14-B59E-BDC0A1D27370}## Elevated
Virtumonde HKLM\Software\Classes\CLSID\{AC8E0070-7011-4A14-B59E-BDC0A1D27370}\InprocServer32 Elevated
Virtumonde HKLM\Software\Classes\CLSID\{AC8E0070-7011-4A14-B59E-BDC0A1D27370}\InprocServer32## Elevated
Virtumonde HKLM\Software\Classes\CLSID\{AC8E0070-7011-4A14-B59E-BDC0A1D27370}\InprocServer32##ThreadingModel Elevated
Virtumonde HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\sstqr##DllName Elevated
Virtumonde HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AC8E0070-7011-4A14-B59E-BDC0A1D27370} Elevated
Virtumonde HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AC8E0070-7011-4A14-B59E-BDC0A1D27370}## Elevated
Trojan.Downloader.Small.DNQ HKLM\Software\Microsoft\Windows\CurrentVersion\Run##np High
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1438Oin Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1438Oin## Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1438Oin##ntdll.dll Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1438Oin##UninstallString Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1440Oin Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1440Oin## Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1440Oin##ntdll.dll Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1440Oin##UninstallString Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1452Oin Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1452Oin## Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1452Oin##ntdll.dll Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1452Oin##UninstallString Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE##NextInstance Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000 Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000##Class Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000##ClassGUID Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000##ConfigFlags Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000##DeviceDesc Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000##Legacy Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000##Service Elevated
Network Monitor HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR High
Network Monitor HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR## High
Network Monitor HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR##NextInstance High
Network Monitor HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000 High
Network Monitor HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000## High
Network Monitor HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Class High
Network Monitor HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000##ClassGUID High
Network Monitor HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000##ConfigFlags High
Network Monitor HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000##DeviceDesc High
Network Monitor HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Legacy High
Network Monitor HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Service High
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE##NextInstance Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE\0000 Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE\0000## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE\0000##Class Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE\0000##ClassGUID Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE\0000##ConfigFlags Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE\0000##DeviceDesc Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE\0000##Legacy Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE\0000##Service Elevated
Network Monitor HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR High
Network Monitor HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR## High
Network Monitor HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR##NextInstance High
Network Monitor HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR\0000 High
Network Monitor HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR\0000## High
Network Monitor HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Class High
Network Monitor HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR\0000##ClassGUID High
Network Monitor HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR\0000##ConfigFlags High
Network Monitor HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR\0000##DeviceDesc High
Network Monitor HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Legacy High
Network Monitor HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Service High
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE##NextInstance Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000 Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##Class Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##ClassGUID Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##ConfigFlags Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##DeviceDesc Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##Legacy Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##Service Elevated
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR## High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR##NextInstance High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000 High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000## High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Class High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000##ClassGUID High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000##ConfigFlags High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000##DeviceDesc High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Legacy High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Service High
Virtumonde IEXPLORE.EXE (C:\WINNT\system32\sstqr.dll) Elevated
Common Components for Trojans multiple Medium
  • 0

Advertisements


#2
DPsx7

DPsx7

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Sheeze, so much info to provide I forgot to include the rest. I don't mean this as a bump. Only that I've helped fix computers in the past and the more info the better, right? I know how hard it can be to diagnose problems over the phone/internet.

The popups include WinAntivirusPro 2006, another version of this program with a red theme (the first is blue), Seek Online, several that don't work because they are blocked in my IE sites list, Drivecleaner, and I think another said xooogle or something similar. IE regularly crashes as well when I browse my usual sites, probably due to bad popups. I've gone through and tried to remove much of this stuff manually, either with Killbox, editing the registry, or simply deleting files. Yet it seems like certain things keep coming back. There's gotta be a 'master' file that keeps doing it.

I recently tried using safe mode to run the tools and it seems like something keeps closing the explorer. I open task manager and run process, but it keeps flashing the box that I'm in safe mode and eventually I'm left with a blank desktop. I get a couple seconds to try and run anything I can. Except for popups and I think a little slowdown the normal mode runs well enough to work with.

If I remember anything else that may help I'll edit this later.

Edited by DPsx7, 02 October 2006 - 11:41 PM.

  • 0

#3
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

Please run a scan with HijackThis and check the following lines for removal:

O2 - BHO: (no name) - {6BBC4C44-90B8-503B-149A-0151397244E5} - C:\WINNT\system32\jsrbcu.dll (file missing)
O2 - BHO: (no name) - {739C352C-CAF9-D13A-CBC1-034A2F8881B4} - C:\WINNT\system32\fastsz.dll (file missing)
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINNT\system32\nsd57.dll (file missing)
O2 - BHO: C:\WINNT\system32\251BE0.dll - {855875B5-93F3-429D-FF34-660B206D897C} - C:\WINNT\system32\251BE0.dll (file missing)
O2 - BHO: (no name) - {A78CC8FE-234D-2FC9-4574-5CF077C66B9A} - C:\WINNT\system32\grmwehta.dll (file missing)
O2 - BHO: (no name) - {AC8E0070-7011-4A14-B59E-BDC0A1D27370} - C:\WINNT\system32\sstqr.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINNT\system32\jlsusadg.dll (file missing)
O2 - BHO: (no name) - {F3D091FD-244C-789B-4174-5CF077C66893} - C:\WINNT\system32\nyh.dll (file missing)
O4 - HKLM\..\Run: [np] c:\winnt\system32\upnp.exe

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

I know you said you ran vundofix but I want you to downlad a new one and follow the directions below. Vundo is present

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.


Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply with the vundofix log and a new Hijack log
Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • 0

#4
DPsx7

DPsx7

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Interesting. I know I had the latest version of Vundofix (6.1.6) although this time it DID find something after several failed attempts. Even more interesting is when I opened IE to come post here I still got a WAVP2000 popup... [bleep]. By the way, thanks. I appreciate your time. Ok, here's the logs.

VundoFix V6.1.6

Checking Java version...

Sun Java not detected
Scan started at 1:14:51 AM 9/29/2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.1.6

Checking Java version...

Sun Java not detected
Scan started at 1:21:35 AM 9/29/2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.1.6

Checking Java version...

Sun Java not detected
Scan started at 1:31:57 AM 9/29/2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.1.6

Checking Java version...

Sun Java not detected
Scan started at 10:04:29 PM 9/29/2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.1.6

Checking Java version...

Sun Java not detected
Scan started at 3:31:29 PM 10/1/2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.1.6

Checking Java version...

Sun Java not detected
Scan started at 7:15:50 PM 10/2/2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.1.6

Checking Java version...

Sun Java not detected
Scan started at 12:30:36 AM 10/3/2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.1.6

Checking Java version...

Sun Java not detected
Scan started at 9:26:00 AM 10/3/2006

Listing files found while scanning....

C:\WINNT\system32\uoodoqha.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\uoodoqha.dll
C:\WINNT\system32\uoodoqha.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.1.6

Checking Java version...

Sun Java not detected
Scan started at 9:28:34 AM 10/3/2006

Listing files found while scanning....

C:\WINNT\system32\uoodoqha.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\uoodoqha.dll
C:\WINNT\system32\uoodoqha.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.1.6

Checking Java version...

Sun Java not detected
Scan started at 9:34:27 AM 10/3/2006

Listing files found while scanning....

No infected files were found.

------

Administrator - Tue 10/03/2006 9:33:27.39 Service Pack 4
ComboFix 06.09.28 - Running from: "D:\Downloads\Repair Tools"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\FNTS~1
C:\QooBox\Purity\WINNT\RACLE~1
C:\QooBox\Purity\WINNT\WNSXS~1
C:\QooBox\Purity\WINNT\system32\ASKS~1
C:\QooBox\Purity\WINNT\system32\CROSOF~1.NET
C:\QooBox\Purity\WINNT\system32\ASKS~1\?asks
C:\QooBox\Purity\WINNT\system32\CROSOF~1.NET\??crosoft.NET


((((((((((((((((((((((((((((((( Files Created from 2006-09-03 to 2006-10-03 ))))))))))))))))))))))))))))))))))


2006-10-01 16:35 45,525 --a------ C:\WINNT\system32\ubxlagcp.dll
2006-10-01 13:07 32,949 --a------ C:\WINNT\system32\waxgef32.dll
2006-09-28 20:27 51,072 --a------ C:\WINNT\system32\drivers\ikhlayer.sys
2006-09-28 20:27 30,592 --a------ C:\WINNT\system32\drivers\ikhfile.sys
2006-09-27 18:51 821,226 ---hs---- C:\WINNT\system32\rqtss.bak2
2006-09-27 01:17 816,804 ---hs---- C:\WINNT\system32\rqtss.ini2
2006-09-26 09:21 842,883 ---hs---- C:\WINNT\system32\rqtss.bak1
2006-09-26 09:21 577,588 --------- C:\WINNT\system32\sstqr.dll
2006-09-10 20:03 58,000 --a------ C:\WINNT\system32\drivers\cdr4_2K.sys
2006-09-10 20:03 49,152 --a------ C:\WINNT\system32\cdrtc.dll
2006-09-10 20:03 45,056 --a------ C:\WINNT\system32\cdral.dll
2006-09-10 20:03 23,420 --a------ C:\WINNT\system32\drivers\cdralw2k.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-02 00:31 -------- d-a------ C:\Program Files\Common Files
2006-10-01 20:53 -------- d-------- C:\Program Files\microsoft frontpage
2006-10-01 15:25 -------- d-------- C:\Documents and Settings\Administrator\Application Data\TrojanHunter
2006-09-28 23:13 -------- d-------- C:\Program Files\Internet Explorer
2006-09-28 20:27 -------- d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2006-09-25 20:49 -------- d-------- C:\Program Files\Accessories
2006-09-23 18:31 -------- d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2006-09-23 18:30 -------- d-------- C:\Program Files\Adobe
2006-09-10 20:03 -------- d-------- C:\Program Files\Windows Media Player
2006-09-10 20:03 -------- d-------- C:\Program Files\Common Files\Adaptec Shared
2006-09-10 20:02 -------- d-------- C:\Program Files\Adaptec
2006-08-21 19:55 -------- d-------- C:\Program Files\Trend Micro
2006-08-08 18:23 -------- d--h----- C:\Program Files\InstallShield Installation Information


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ncuw"="\"C:\\WINNT\\system32\\ASKS~1\\svchost.exe\" -vt ndrv"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"UpdReg"="C:\\WINNT\\Updreg.exe"
"CTHelper"="CTHELPER.EXE"
"NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"QuickTime Task"="\"C:\\WINNT\\system32\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Share-to-Web Namespace Daemon"="D:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINNT\\system32\\NvMcTray.dll,NvTaskbarInit"
"np"="c:\\winnt\\system32\\upnp.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Internet Explorer\\qufyvuq.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Accessories\\nicosinol.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00002002
"Position"=hex:2c,00,00,00,96,00,00,00,00,00,00,00,8a,02,00,00,3c,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"=""

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"^SetupICWDesktop"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{D3B3C51E-8D11-4667-85B9-0930F519BED7}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"ntdll.dll"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqr

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Completion time: Tue 2006-10-03 9:33:52.04
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

--------

Logfile of HijackThis v1.99.1
Scan saved at 9:51:32 AM, on 10/3/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
D:\Program Files\Ewido AS 4.0\guard.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\mobsync.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Downloads\Repair Tools\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lanarchy.org/web2/html/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINNT\system32\uoodoqha.dll (file missing)
O2 - BHO: (no name) - {D86B5E1E-70DA-4E97-B6A8-AFEF3F8397F8} - C:\WINNT\system32\sstqr.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINNT\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [np] c:\winnt\system32\upnp.exe
O4 - HKCU\..\Run: [Ncuw] "C:\WINNT\system32\ASKS~1\svchost.exe" -vt ndrv
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: http://www3.ca.com
O15 - Trusted Zone: http://usa.kaspersky.com
O15 - Trusted Zone: http://us.mcafee.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://www.trendmicro.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - http://www.worldwinn...gsaw/jigsaw.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinn...d/bejeweled.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinn...ll/freecell.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...861/mcfscan.cab
O20 - Winlogon Notify: sstqr - C:\WINNT\system32\sstqr.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\Ewido AS 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe
  • 0

#5
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

Please browse here C:\vundofix.txt and delete it, The log is getting kind of big, a new one will be created

Add Files Feature in VundoFix
  • Double-click VundoFix.exe to run it again.
  • Click the Scan for Vundo button.
  • Once it's done scanning,Right Click inside the listbox (white box) and click add more files
    Copy&Paste the entry below into the top box

    C:\WINNT\system32\sstqr.dll

  • Click Add Files and Click Close Window
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot,allow the computer to reboot and VundoFix to load.

DO NOT click "Scan for Vundo" again.

Just add the very same files as before and Click Remove Vundo.


Please post the C:\vundofix.txt and a new hijack log

Edited by loophole, 03 October 2006 - 01:18 PM.

  • 0

#6
DPsx7

DPsx7

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Sorry, I meant to clear that file earlier but I forgot. Had work at 10 and I'm also trying to contact people so I can send back a laptop that was smashed up during shipment. Not having much luck on PC's recently... Lol. Lemme tell ya I've come across that file a couple times. Appeared in some of the scans I did and I tried using Killbox to rid of it. For some reason KB couldn't reboot my PC (got an error message), guess that means I never actually removed it. Either that or the file reinstalled itself. Well here are the logs:

Logfile of HijackThis v1.99.1
Scan saved at 7:32:02 PM, on 10/3/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
D:\Program Files\Ewido AS 4.0\guard.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Downloads\Repair Tools\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lanarchy.org/web2/html/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINNT\system32\gudqimgn.dll
O2 - BHO: (no name) - {BCF34CF0-4745-4463-975D-B946A6895FCA} - C:\WINNT\system32\sstqr.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINNT\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [np] c:\winnt\system32\upnp.exe
O4 - HKCU\..\Run: [Ncuw] "C:\WINNT\system32\ASKS~1\svchost.exe" -vt ndrv
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: http://www3.ca.com
O15 - Trusted Zone: http://usa.kaspersky.com
O15 - Trusted Zone: http://us.mcafee.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://www.trendmicro.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - http://www.worldwinn...gsaw/jigsaw.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinn...d/bejeweled.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinn...ll/freecell.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...861/mcfscan.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\Ewido AS 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe

-----

VundoFix V6.1.6

Checking Java version...

Sun Java not detected
Scan started at 7:27:04 PM 10/3/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete C:\WINNT\system32\sstqr.dll
C:\WINNT\system32\sstqr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINNT\system32\sstqr.dll
C:\WINNT\system32\sstqr.dll Has been deleted!

Performing Repairs to the registry.
Done!
  • 0

#7
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

If you still have killbox you don't have to download a new one, just follow the directions

Please run a scan with HijackThis and check the following lines for removal:

O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINNT\system32\gudqimgn.dll
O2 - BHO: (no name) - {BCF34CF0-4745-4463-975D-B946A6895FCA} - C:\WINNT\system32\sstqr.dll (file missing)
O4 - HKCU\..\Run: [Ncuw] "C:\WINNT\system32\ASKS~1\svchost.exe" -vt ndrv


Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINNT\system32\ubxlagcp.dll
    C:\WINNT\system32\waxgef32.dll
    C:\WINNT\system32\rqtss.bak2
    C:\WINNT\system32\rqtss.ini2
    C:\WINNT\system32\rqtss.bak1



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

How is it running?
  • 0

#8
DPsx7

DPsx7

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Well KB took a while to restart, but at least I got no error messages this time. Anyway, the popups have ceased, so I believe Vundo is gone and thanks for that much. Never knew you could right click on the tool to add files. However I ran another HJT and found a new entry. Some new file that gave me an error message this morning. (The line below is O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fil23072.exe.) I do try to keep my system running clean so I can spot new and unusual files. My browser seems to be running kinda slow too. I hope this crap isn't still re-downloading itself. Here's the fresh HJT log and another log from some program I tried called Spyware Doctor. I'm hoping this is a legit program. If you know otherwise I'll remove it ASAP. It's kinda strange how it finds things that don't appear in HJT, and the program does nothing about what it finds until I pay to register.

*By the way, I'd continue editing or 'fixing' things on my own but now that I'm getting help I'd rather not mess things up in the process. I mean I think I'm a bit more comfortable editing the registry, but the first time I did a while back I made it worse. I was unfamiliar with the new files in 2K when I moved from 98/ME. Lol.

Logfile of HijackThis v1.99.1
Scan saved at 9:57:25 PM, on 10/4/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
D:\Program Files\Ewido AS 4.0\guard.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINNT\system32\services.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Downloads\Repair Tools\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lanarchy.org/web2/html/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINNT\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [np] c:\winnt\system32\upnp.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fil23072.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O15 - Trusted Zone: http://www3.ca.com
O15 - Trusted Zone: http://usa.kaspersky.com
O15 - Trusted Zone: http://us.mcafee.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://www.trendmicro.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - http://www.worldwinn...gsaw/jigsaw.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinn...d/bejeweled.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinn...ll/freecell.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...861/mcfscan.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\Ewido AS 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe

-----

Scan Results:
scan start: 10/4/2006 9:59:52 PM
scan stop: 10/4/2006 10:02:44 PM
scanned items: 51744
found items: 37
found and ignored: 0
tools used: General Scanner, Process Scanner, Registry Scanner, Startup Scanner, Browser Scanner, Browser Activity Scanner, LSP Scanner, Disk Scanner, ActiveX Scanner



Infection Name Location Risk
I-Search Desktop Search Toolbar C:\WINNT\RFBzeDc\lI1WyGw.vbs Elevated
Trojan.EmailSpy C:\zx\test.txt High
Backdoor.Agent.CFC HKCR\CLSID\{855875B5-93F3-429D-FF34-660B206D897C} High
Backdoor.Agent.CFC HKCR\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}## High
Backdoor.Agent.CFC HKCR\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}##ThreadingModel High
Backdoor.Agent.CFC HKCR\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}\InProcServer32 High
Backdoor.Agent.CFC HKCR\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}\InProcServer32## High
Backdoor.Agent.CFC HKCR\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}\InProcServer32##ThreadingModel High
Common Components Unrelated HKCU\Software\Microsoft\Windows\CurrentVersion\Run##WinMedia Medium
PurityScan HKCU\Software\PSCloner High
PurityScan HKCU\Software\PSCloner## High
Common Components for Trojans HKCU\Software\unker Medium
Common Components for Trojans HKCU\Software\unker## Medium
Common Components for Trojans HKCU\Software\unker\upnp Medium
Common Components for Trojans HKCU\Software\unker\upnp## Medium
Common Components for Trojans HKCU\Software\unker\upnp\main Medium
Common Components for Trojans HKCU\Software\unker\upnp\main## Medium
Common Components for Trojans HKCU\Software\unker\upnp\main##cid Medium
Backdoor.Agent.CFC HKLM\Software\Classes\CLSID\{855875B5-93F3-429D-FF34-660B206D897C} High
Backdoor.Agent.CFC HKLM\Software\Classes\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}## High
Backdoor.Agent.CFC HKLM\Software\Classes\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}##ThreadingModel High
Backdoor.Agent.CFC HKLM\Software\Classes\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}\InProcServer32 High
Backdoor.Agent.CFC HKLM\Software\Classes\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}\InProcServer32## High
Backdoor.Agent.CFC HKLM\Software\Classes\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}\InProcServer32##ThreadingModel High
Trojan.Downloader.Small.DNQ HKLM\Software\Microsoft\Windows\CurrentVersion\Run##np High
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1438Oin Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1438Oin## Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1438Oin##ntdll.dll Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1438Oin##UninstallString Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1440Oin Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1440Oin## Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1440Oin##ntdll.dll Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1440Oin##UninstallString Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1452Oin Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1452Oin## Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1452Oin##ntdll.dll Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1452Oin##UninstallString Elevated

Edited by DPsx7, 04 October 2006 - 08:17 PM.

  • 0

#9
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

I personnaly dont care for Spyware doctor, but it is legit. I wouldnt buy it. I would like for you to try the one below. I use it and it seems to be very good

Please run a scan with HijackThis and check the following lines for removal:

O4 - HKLM\..\Run: [np] c:\winnt\system32\upnp.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fil23072.exe


Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.




Please download SUPERAntiSpyware Home Edition (free version)
  • Install it and double-click the icon on your desktop to run it.
  • It will ask if you want to update the program definitions, click Yes.
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked:
    • Close browsers before scanning
    • Scan for tracking cookies
    • Terminate memory threats before quarantining.
    • Please leave the others unchecked.
    • Click the Close button to leave the control center screen.
  • On the main screen, under Scan for Harmful Software click Scan your computer.
  • On the left check C:\Fixed Drive.
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete a summary box will appear. Click OK.
  • Make sure everything in the white box has a check next to it, then click Next.
  • It will quarantine what it found and if it asks if you want to reboot, click Yes.
  • To retrieve the removal information for me please do the following:
  • After reboot, double-click the SUPERAntispyware icon on your desktop.
  • Click Preferences. Click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • It will open in your default text editor (such as Notepad/Wordpad).
  • Please highlight everything in the notepad, then right-click and choose copy.
  • Click close and close again to exit the program.
  • Please paste that information here for me.

  • 0

#10
DPsx7

DPsx7

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
You bet. No need to pay when there are plenty of quality free tools. Besides, how do you know exactly what can be trusted, right? Thanks for linking me to that program. I was going to ask if you had a good free tool to recommend besides Ad-Aware and Spybot. Just something a little extra.

I had trouble getting HJT to remove that suspicious file. I scanned, fixed checked, and scanned again yet it remained. I used Killbox to knock it out, then HJT was able to remove the entry. I ran the new scanner a couple times because it was finding new things. Third time it ran clean. Guess that's good news. Still no popups, and I gotta surf around a while before I know if my speed is back to normal. As always, fresh logs. If you'd like I can post the others from SAS so you can see what they removed. I'll check back tomorrow to see if you found anything out of the ordinary and to report how things are going.

SUPERAntiSpyware Scan Log
Generated 10/05/2006 at 00:29 AM

Core Rules Database Version : 3098
Trace Rules Database Version: 1125

Memory threats detected : 0
Registry threats detected : 0
File threats detected : 0

-----

Logfile of HijackThis v1.99.1
Scan saved at 12:39:39 AM, on 10/5/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
D:\Program Files\Ewido AS 4.0\guard.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\Downloads\Repair Tools\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lanarchy.org/web2/html/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINNT\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O15 - Trusted Zone: http://www3.ca.com
O15 - Trusted Zone: http://usa.kaspersky.com
O15 - Trusted Zone: http://us.mcafee.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://www.trendmicro.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - http://www.worldwinn...gsaw/jigsaw.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinn...d/bejeweled.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinn...ll/freecell.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...861/mcfscan.cab
O20 - Winlogon Notify: SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\Ewido AS 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe
  • 0

#11
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

I think its a great program. If you wouldnt mind I would like to see what it has removed, I havent really used it to much in the open forums but I have thrown about everything at it on my computer and it seems to do rather well
  • 0

#12
DPsx7

DPsx7

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
It sure does. Actually, it could help you in a future case to recognize if there's something new floating around. As I told ya this thing kept coming back, which is why I requested some help. So I appreciate the time and the tools you've given me. I have 3 logs before they came back clean.

Oh, I should mention that so far things seem to be running great. I won't know for certain until I start it up tomorrow and run my scans to ensure it didn't revive.


SUPERAntiSpyware Scan Log
Generated 10/04/2006 at 11:48 PM

Core Rules Database Version : 3098
Trace Rules Database Version: 1125

Memory threats detected : 0
Registry threats detected : 17
File threats detected : 7

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{D3B3C51E-8D11-4667-85B9-0930F519BED7}
HKCR\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}
HKCR\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}#ThreadingModel
HKCR\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}\InProcServer32
HKCR\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}\InProcServer32#ThreadingModel
HKCR\CLSID\{B7672BAF-E9A3-49B6-86B2-C81719A18A4C}
HKCR\CLSID\{B7672BAF-E9A3-49B6-86B2-C81719A18A4C}\InprocServer32
HKCR\CLSID\{B7672BAF-E9A3-49B6-86B2-C81719A18A4C}\InprocServer32#ThreadingModel

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt

Trojan.Windows Overlay Components/SysMon
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#DeviceDesc

Trojan.Downloader-DoWork
C:\!KillBox\ubxlagcp.dll
C:\!KillBox\ubxlagcp.dll( 5)

Trojan.Unknown Origin
C:\WINNT\RFBzeDc\lI1WyGw.vbs
C:\WINNT\tempf.txt

Adware.Vundo Variant
D:\Downloads\Repair Tools\backups\backup-20061003-092504-680.dll

-----

SUPERAntiSpyware Scan Log
Generated 10/05/2006 at 00:06 AM

Core Rules Database Version : 3098
Trace Rules Database Version: 1125

Memory threats detected : 0
Registry threats detected : 4
File threats detected : 3

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{BE8E79F1-3D23-48A7-9B07-1D2AAAD93327}
HKCR\CLSID\{BE8E79F1-3D23-48A7-9B07-1D2AAAD93327}
HKCR\CLSID\{BE8E79F1-3D23-48A7-9B07-1D2AAAD93327}\InprocServer32
HKCR\CLSID\{BE8E79F1-3D23-48A7-9B07-1D2AAAD93327}\InprocServer32#ThreadingModel
C:\WINNT\system32\mljjh.dll

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt

-----

SUPERAntiSpyware Scan Log
Generated 10/05/2006 at 00:22 AM

Core Rules Database Version : 3098
Trace Rules Database Version: 1125

Memory threats detected : 0
Registry threats detected : 0
File threats detected : 2

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
  • 0

#13
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Looks good :whistling:

Thanks for letting me see the logs. Surf around for a couple days and just let me know if everything is back to normal :blink:
  • 0

#14
DPsx7

DPsx7

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I ran a scan not too long ago, came back clean. Awesome. Tried Spyware Doc though and it gave me the same junk. Being that nothing else picked it up, it was probably deactivated and just registry scraps. I went through manually and deleted 'em. Another scan, nothing but a few minor cookies. I'm back to my usual 'net speed thankfully. I'll surf around a little longer and run one last round of scans to confirm it didn't come back when I opened my browser. If anything comes up I'll check back. Otherwise I think everything is back to normal. Thanks again.
  • 0

#15
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
OK, thanks for responding and letting me know :whistling:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP