Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Smitfraud [RESOLVED]

Started by Steve Soleimani , Oct 02 2006 09:20 AM

This topic is locked

#16
Steve Soleimani

Posted 04 October 2006 - 12:36 PM

Member

Topic Starter
Member
272 posts

VundoFix V6.1.6

Checking Java version...

Java version is 1.5.0.3

Java version is 1.5.0.6

Scan started at 2:06:33 PM 10/4/2006

Listing files found while scanning....

No infected files were found.

Beginning removal...

Attempting to delete C:\windows\system32\jkhfe.dll
C:\windows\system32\jkhfe.dll Could not be deleted.

Attempting to delete C:\windows\system32\kqtbzwe.dll
C:\windows\system32\kqtbzwe.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\jkhfe.dll
C:\windows\system32\jkhfe.dll Has been deleted!

Performing Repairs to the registry.
Done!

Logfile of HijackThis v1.99.1
Scan saved at 2:36:29 PM, on 10/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\windows\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\OpenSA\Apache2\bin\Apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\OpenSA\Apache2\bin\Apache.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\windows\system32\hkcmd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HJT.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0CDC3D6B-122F-4742-A081-8D8BEB64C4A2} - C:\windows\system32\jkhfe.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A0103D5-095E-E833-CA92-00E5012D3E6E} - C:\windows\system32\kqtbzwe.dll (file missing)
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\windows\system32\eimcljhn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\windows\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: check-ip-changed.bat
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash By FlashFavorite - res://C:\PROGRA~1\FLASHF~1\FFCom.dll/IeMenu.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1144367547234
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresp...s/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by109fd.bay10...ex/HMAtchmt.ocx
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\windows\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winjvd32 - winjvd32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\windows\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\windows\system32\WPDShServiceObj.dll
O23 - Service: Apache2 - Unknown owner - C:\OpenSA\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#17
loophole

Posted 04 October 2006 - 01:05 PM

Malware Expert

Retired Staff
9,798 posts

Great, we got em

Please run a scan with HijackThis and check the following lines for removal:

O2 - BHO: (no name) - {0CDC3D6B-122F-4742-A081-8D8BEB64C4A2} - C:\windows\system32\jkhfe.dll (file missing)

O2 - BHO: (no name) - {5A0103D5-095E-E833-CA92-00E5012D3E6E} - C:\windows\system32\kqtbzwe.dll (file missing)

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Also any luck on the itunes situation?

Edited by loophole, 04 October 2006 - 01:05 PM.

#18
Steve Soleimani

Posted 04 October 2006 - 01:14 PM

Member

Topic Starter
Member
272 posts

Owner - 06-10-04 15:12:04.78 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Owner\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\windows\system32\ismini.exe
C:\windows\system32\components

((((((((((((((((((((((((((((((( Files Created from 2006-09-04 to 2006-10-04 ))))))))))))))))))))))))))))))))))

2006-10-04 08:17 86,036 --a------ C:\WINDOWS\system32\eimcljhn.dll
2006-10-01 23:27 835,732 ---hs---- C:\WINDOWS\system32\efhkj.bak2
2006-09-30 23:28 143,380 --a------ C:\WINDOWS\system32\nfamvklb.exe
2006-09-30 23:27 845,686 ---hs---- C:\WINDOWS\system32\efhkj.bak1
2006-09-15 17:24 65,536 --a------ C:\WINDOWS\system32\a1.dll
2006-09-15 17:24 520,192 --a------ C:\WINDOWS\system32\wscma2u.exe
2006-09-15 17:24 278,528 --a------ C:\WINDOWS\system32\ammpp.dll
2006-09-13 15:43 22,768 --a------ C:\WINDOWS\system32\drivers\usbsermpt.sys

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-04 15:10 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-04 15:07 -------- d-------- C:\Program Files\Hijackthis
2006-10-03 23:00 1387 --a------ C:\Documents and Settings\Owner\Application Data\.googlewebacchosts
2006-10-03 17:59 -------- d-------- C:\Program Files\Windows Defender
2006-10-03 17:59 -------- d-------- C:\Program Files\Vodei
2006-10-03 17:48 -------- d-------- C:\Program Files\iTunes
2006-10-03 17:48 -------- d-------- C:\Program Files\Internet Explorer
2006-10-03 17:48 -------- d-------- C:\Program Files\Google
2006-10-03 17:45 -------- d-------- C:\Program Files\AIM
2006-10-03 17:20 -------- d-------- C:\Program Files\WinZip
2006-10-03 17:20 -------- d-------- C:\Program Files\WinRAR
2006-10-02 11:17 -------- d-------- C:\Program Files\iPod
2006-10-02 11:16 -------- d-------- C:\Program Files\QuickTime
2006-10-02 11:12 -------- d-------- C:\Program Files\Apple Software Update
2006-10-02 11:03 -------- d-------- C:\Program Files\Common Files
2006-10-02 11:03 -------- d-------- C:\Program Files\BearShare
2006-10-01 11:10 -------- d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2006-09-30 19:25 -------- d-------- C:\Program Files\Common Files\Real
2006-09-30 19:25 -------- d-------- C:\Documents and Settings\Owner\Application Data\Real
2006-09-29 15:05 -------- d-------- C:\Documents and Settings\Owner\Application Data\Morpheus
2006-09-28 23:00 -------- d-------- C:\Program Files\Cain
2006-09-28 21:09 -------- d-------- C:\Program Files\Zone Labs
2006-09-28 21:07 -------- d-------- C:\Program Files\WinPcap
2006-09-26 22:11 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-25 21:03 -------- d-------- C:\Program Files\Windows Media Player
2006-09-25 21:03 -------- d-------- C:\Program Files\Last.fm
2006-09-17 21:10 -------- d-------- C:\Program Files\Flock
2006-09-17 21:10 -------- d-------- C:\Documents and Settings\Owner\Application Data\Flock
2006-09-17 13:05 -------- d-------- C:\Program Files\Motorola Phone Tools
2006-09-16 15:14 -------- d-------- C:\Program Files\Motorola
2006-09-15 17:36 -------- d-------- C:\Program Files\AnMing
2006-09-13 16:38 -------- d-------- C:\Program Files\Windows Media Connect 2
2006-09-13 15:53 -------- d-------- C:\Program Files\Avanquest update
2006-09-13 15:45 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-12 22:18 -------- d-------- C:\Program Files\Common Files\Motorola Shared
2006-09-12 21:35 -------- d-------- C:\Program Files\CyberLink
2006-09-06 21:32 -------- d-------- C:\Program Files\AviSynth 2.5
2006-09-03 23:28 28672 --a------ C:\WINDOWS\gscr.dll
2006-09-03 23:28 1237343 --a------ C:\WINDOWS\lamborghini.exe
2006-09-03 23:28 120908 --a------ C:\WINDOWS\lamborghini.scr
2006-09-03 22:52 -------- d-------- C:\Documents and Settings\Owner\Application Data\IMVU
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 05:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-16 23:12 -------- d--h----- C:\Program Files\Uninstall Information
2006-08-13 13:54 -------- d-------- C:\Program Files\Microsoft
2006-08-12 14:36 940 --a------ C:\Documents and Settings\Owner\Application Data\AdobeDLM.log
2006-08-12 14:36 0 --a------ C:\Documents and Settings\Owner\Application Data\dm.ini
2006-08-12 14:35 -------- d-------- C:\Program Files\Common Files\Adobe
2006-08-12 14:35 -------- d-------- C:\Program Files\ClamWin
2006-08-11 09:18 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-14 14:51 108144 --a------ C:\WINDOWS\system32\GEARAspi.dll
2006-07-09 01:04 172032 --a------ C:\WINDOWS\system32\cncs32.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"ctfmon.exe"="C:\\windows\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\windows\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\windows\\system32\\hkcmd.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"NeroFilterCheck"="C:\\windows\\system32\\NeroCheck.exe"
"PinnacleDriverCheck"="C:\\windows\\system32\\PSDrvCheck.exe -CheckReg"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"ClamWin"="\"C:\\Program Files\\ClamWin\\bin\\ClamTray.exe\" --logon"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Windows Media Connect 2"="\"C:\\Program Files\\Windows Media Connect 2\\WMCCFG.exe\" /StartQuiet"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Spy Sweeper Fix.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Spy Sweeper Fix.lnk"
"backup"="C:\\windows\\pss\\Spy Sweeper Fix.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperFix.bat "
"item"="Spy Sweeper Fix"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\WinZip Quick Pick.lnk"
"backup"="C:\\windows\\pss\\WinZip Quick Pick.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\WinZip\\WZQKPICK.EXE "
"item"="WinZip Quick Pick"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Spy Sweeper Fix.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\Spy Sweeper Fix.lnk"
"backup"="C:\\windows\\pss\\Spy Sweeper Fix.lnkStartup"
"location"="Startup"
"command"="C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperFix.bat "
"item"="Spy Sweeper Fix"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Adobe Photo Downloader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apdproxy"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AnyDVD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AnyDVD"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\APVXDWIN]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="APVXDWIN"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Panda Software\\Panda Antivirus Platinum\\APVXDWIN.EXE\" /s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BearShare]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BearShare"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\BearShare\\BearShare.exe\" /pause"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CloneCDTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CloneCDTray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\E06AXLRD_11163171]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EDICT"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Microsoft Encarta\\Encarta Premium DVD 2006\\EDICT.EXE\" -m"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\E06AXLRD_70333890]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EDICT"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Microsoft Encarta\\Encarta Premium DVD 2006\\EDICT.EXE\" -m"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Free Download Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fdm"
"hkey"="HKCU"
"command"="C:\\Program Files\\Free Download Manager\\fdm.exe -autorun"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\InCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="InCD"
"hkey"="HKLM"
"command"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NWEReboot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SCANINICIO]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Inicio"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Panda Software\\Panda Antivirus Platinum\\Inicio.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Shell]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ibm00001"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\ibm00001.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="C:\\Valve\\Steam\\Steam.exe -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Windows Media Connect 2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WMCCFG"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Windows Media Connect 2\\WMCCFG.exe\" /StartQuiet"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjvd32

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Contents of the 'Scheduled Tasks' folder
C:\windows\tasks\AppleSoftwareUpdate.job
C:\windows\tasks\MP Scheduled Scan.job
C:\windows\tasks\Norton AntiVirus - Run Full System Scan - Owner.job

Completion time: Wed 10/04/2006 15:13:09.84
ComboFix.txt

#19
loophole

Posted 04 October 2006 - 01:34 PM

Malware Expert

Retired Staff
9,798 posts

Please run a scan with HijackThis and check the following lines for removal:

O20 - Winlogon Notify: winjvd32 - winjvd32.dll (file missing)

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:
- Delete on Reboot
- then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\eimcljhn.dll
C:\WINDOWS\system32\efhkj.bak2
C:\WINDOWS\system32\nfamvklb.exe
C:\WINDOWS\system32\efhkj.bak1
C:\WINDOWS\system32\ammpp.dll
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Is the computer running normally again

#20
Steve Soleimani

Posted 04 October 2006 - 01:54 PM

Member

Topic Starter
Member
272 posts

Nothing went wrong in that process.But im not sure if everything is "normal"

#21
loophole

Posted 04 October 2006 - 04:01 PM

Malware Expert

Retired Staff
9,798 posts

Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

#22
Steve Soleimani

Posted 04 October 2006 - 05:07 PM

Member

Topic Starter
Member
272 posts

Incident Status Location

Adware:adware/cws.searchmeup Not disinfected c:\windows\uniq
Adware:adware/savenow Not disinfected Windows Registry
Adware:adware/azesearch Not disinfected Windows Registry
Potentially unwanted tool:application/zango Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8}
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Application Data\Flock\Browser\Profiles\xdlsm0gw.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Application Data\Flock\Browser\Profiles\xdlsm0gw.default\cookies.txt[.com.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n9yhx1z7.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n9yhx1z7.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n9yhx1z7.default\cookies.txt[.com.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n9yhx1z7.default\cookies.txt[.google.com.br/]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\Anti Virus, Spyware, other\SmitfraudFix\Process.exe
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Desktop\LimeWire\stuff\Portable Apps\yourwar_usb_setup.rar[yourwar_usb_setup\PortableFirefox\Data\profile\cookies.txt][ad.yieldmanager.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Desktop\LimeWire\stuff\Portable Apps\yourwar_usb_setup.rar[yourwar_usb_setup\PortableFirefox\Data\profile\cookies.txt][.advertising.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Desktop\LimeWire\stuff\Portable Apps\yourwar_usb_setup.rar[yourwar_usb_setup\PortableFirefox\Data\profile\cookies.txt][.fastclick.net/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Desktop\LimeWire\stuff\Portable Apps\yourwar_usb_setup.rar[yourwar_usb_setup\PortableFirefox\Data\profile\cookies.txt][.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Desktop\LimeWire\stuff\Portable Apps\yourwar_usb_setup.rar[yourwar_usb_setup\PortableFirefox\Data\profile\cookies.txt][.atdmt.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Desktop\LimeWire\stuff\Portable Apps\yourwar_usb_setup.rar[yourwar_usb_setup\PortableFirefox\Data\profile\cookies.txt][.fastclick.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Desktop\LimeWire\stuff\Portable Apps\yourwar_usb_setup.rar[yourwar_usb_setup\PortableFirefox\Data\profile\cookies.txt][media.fastclick.net/]
Hacktool:HackTool/Cain.B Not disinfected C:\Program Files\Cain\Abel.dll
Potentially unwanted tool:Application/Zango Not disinfected C:\Program Files\Mozilla Firefox\plugins\npclntax.dll
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\wvuvvwv.dll.bad
Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\ishost.exe_tobedeleted
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

#23
loophole

Posted 04 October 2006 - 05:15 PM

Malware Expert

Retired Staff
9,798 posts

OK

Looks like we are almost done

Delete your firefox cookies

Click Tools then Options.
Click Privacy.
Click Clear across from the Cookies option.
Click Ok to return to the browser main page.
Exit and relaunch the browser.

Now click >>start>>control panel >>add/remove programs and uninstall the following if present:

CAIN

Delete these folders:
C:\VundoFix Backups
c:\windows\uniq

Run Killbox

Please double-click Killbox.exe to run it.
Select:
- Delete on Reboot
- then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\Mozilla Firefox\plugins\npclntax.dll
C:\Program Files\Cain
C:\WINDOWS\system32\Process.exe
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

That should be it. Let me know if there are still problems

#24
Steve Soleimani

Posted 04 October 2006 - 05:34 PM

Member

Topic Starter
Member
272 posts

Nope. But for a while now. When i start up my computer i get this message.

"Invalid boot.ini file"
"Booting from C:\windows\

idk if its \ or / so...

And idk if i should start a new topic for this. If so tell me (and the right area in the forum to do so). I just though t you should know

#25
wannabe1

Posted 04 October 2006 - 07:08 PM

Tech Staff

Technician
16,645 posts

Hi Steve Soleimani...

Let me have a peek at your boot.ini file.

Open Control Panel and double-click on the System icon. Click the Advanced tab and then, in the Startup and Recovery section, click on the Settings button.

In the dialog that opens, click on the Edit button.

In the notepad window that opens (boot.ini), click Edit on the toolbar, and choose Select All. Right click in the selected text and choose Copy.

Paste that here for me.

wannabe1

#26
Steve Soleimani

Posted 04 October 2006 - 07:39 PM

Member

Topic Starter
Member
272 posts

click on the Settings button.

In the dialog that opens, click on the Edit button.

In the notepad window that opens (boot.ini),

The "click on the settings button" when i did that this came up:

System Control Panel Applet

The C:\boot.ini file can not be opened. Operating System and Timeout settings can not be changed.

...then it did take me to that dialog/window where...

"click on the edit button" this came up:

Notepad

Cannot find the C:\boot.ini file.

Do you want to create a new file?

So i coulden't continue from there.

Edited by Steve Soleimani, 04 October 2006 - 07:40 PM.

#27
wannabe1

Posted 04 October 2006 - 08:23 PM

Tech Staff

Technician
16,645 posts

Ok...

Are your Folder Options set to view "Hidden Files and Folders"?

If we can't find it, we'll create a new one....but tell me a little about the system first.

What drive is the Windows folder located on? Is it C:?

Is the machine a dual boot? Does it contain more than one operating system?

Is the default operating system XP Home or XP Pro? SP1 or SP2?

#28
Steve Soleimani

Posted 04 October 2006 - 08:30 PM

Member

Topic Starter
Member
272 posts

ll tell you as much as I know. :whistling:

"Are your Folder Options set to view "Hidden Files and Folders"?" - I don't think so

"What drive is the Windows folder located on? Is it C:?" - Yes

"Is the machine a dual boot?" - I don't know

"Does it contain more than one operating system?" - No

"Is the default operating system XP Home or XP Pro? SP1 or SP2?" - Microsoft Windows XP Home Edition Version 2002 Service Pack 2.

Intel®
Pentium® 4 CPU 2.66GHz
2.66 GHz, 512 MB of RAM

#29
wannabe1

Posted 04 October 2006 - 08:40 PM

Tech Staff

Technician
16,645 posts

Let's look for the boot.ini one more time.

Open My Documents, click on Tools on the toolbar, and choose Folder Options. Under the View tab, tick the button next to "Show Hidden Files and Folders". "Apply" the change.

Then see if you can access the boot.ini as suggested earlier.