Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Win32/Clspring.Variant!Trojan

Started by nitro1001 , Nov 14 2006 08:41 PM

  • This topic is locked This topic is locked

#1
nitro1001
Posted 14 November 2006 - 08:41 PM

nitro1001

    New Member

  • Member
  • Pip
  • 3 posts
If anyone can help I can't seem to get rid of this using Etrust Inoculate, adware, or Yahoo adware remover.. It tells me its cured, but tthen it shows up and says thatit has been renamed... just won't go away..I'm not sure if its causing random windows to open labeled as such: Thanks to anyone who can help, and you can email me at - EMail edited out to prevent spam


This is the kind of window that opens as well:
Outerinfo

Edited by MFDnSC, 15 November 2006 - 12:46 PM.

  • 0

Advertisements

#2
MFDnSC
Posted 15 November 2006 - 12:47 PM

MFDnSC

    Banned

  • Banned
  • PipPipPipPip
  • 1,137 posts
1. Download this file :

http://download.blee...Bs/combofix.exe
http://www.techsuppo...ls/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

Note:
Do not mouseclick combofix's window while its running. That may cause it to stall

==============================

Click here to download HJTsetup.exe:

http://www.thespykil...=tpmod;dl=item5
Scroll down to the download section

Save HJTsetup.exe to your desktop.

Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
  • 0

#3
nitro1001
Posted 15 November 2006 - 11:33 PM

nitro1001

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Thanks for the help so far... Here is the log from the Hijack this set up (looks like a mess):
Combo fix log below....


Logfile of HijackThis v1.99.1
Scan saved at 12:09:49 AM, on 11/16/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\WINNT\System32\svchost.exe
F:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
F:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
F:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
F:\WINNT\LogWatNT.exe
F:\WINNT\system32\regsvc.exe
F:\WINNT\system32\stisvc.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\Program Files\Linksys Wireless-G PCI Adapter\WLService.exe
F:\WINNT\system32\svchost.exe
F:\Program Files\Linksys Wireless-G PCI Adapter\WMP54Gv4.exe
F:\WINNT\Explorer.EXE
F:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
F:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
F:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
F:\WINNT\explorer.exe
F:\WINNT\system32\PPPATC~1\attrib.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Documents and Settings\Adam Bor\My Documents\?icrosoft.NET\?explore.exe
F:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://football.fant...hoo.com/f2/5881
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://football.fant...hoo.com/f2/5881
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {B02F7BED-EC7D-B1A2-7BE2-C39EFD405EB8} - F:\WINNT\system32\udemewbn.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - F:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: (no name) - {B02F7BED-EC7D-B1A2-7BE2-C39EFD405EB8} - F:\WINNT\system32\udemewbn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - F:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] F:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] F:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] "F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Hsuh] "F:\WINNT\system32\PPPATC~1\attrib.exe" -vt ndrv
O8 - Extra context menu item: &Viewpoint Search - res://F:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///F:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///F:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///F:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///F:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comne...iveSekurity.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://millithunder....com/iNotes.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - F:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O23 - Service: Ati HotKey Poller - Unknown owner - F:\WINNT\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - F:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - F:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - F:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - F:\WINNT\LogWatNT.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - F:\Program Files\Linksys Wireless-G PCI Adapter\WLService.exe" "WMP54Gv4.exe (file missing)




Combo FIx Log:





Adam Bor - Thu 11/16/2006 0:21:53.72 Service Pack 4
ComboFix 06.11.9 - Running from: "F:\Documents and Settings\Adam Bor\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


F:\WINNT\system32\wapisvsu.exe
F:\Program Files\Common Files\Yazzle1409OinUninstaller.exe

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

F:\QooBox\Purity\Documents and Settings\Adam Bor\My Documents\ICROSO~1.NET
F:\QooBox\Purity\Documents and Settings\Adam Bor\My Documents\ICROSO~1.NET\?explore.exe
F:\QooBox\Purity\Program Files\Common Files\PPATCH~1
F:\QooBox\Purity\WINNT\system32\PPPATC~1
F:\QooBox\Purity\WINNT\system32\PPPATC~1\attrib.exe
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-494.0000
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-494.0001
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-494.0002
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-494.0003
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-503.0000
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-503.0001
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-503.0002
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-503.0003
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-503.0004
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-503.0005
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-503.0006
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-505.0000

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

F:\QooBox\Purity\Documents and Settings\Adam Bor\My Documents\ICROSO~1.NET
F:\QooBox\Purity\Documents and Settings\Adam Bor\My Documents\ICROSO~1.NET\?explore.exe
F:\QooBox\Purity\Program Files\Common Files\PPATCH~1
F:\QooBox\Purity\WINNT\system32\PPPATC~1
F:\QooBox\Purity\WINNT\system32\PPPATC~1\attrib.exe
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-494.0000
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-494.0001
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-494.0002
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-494.0003
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-503.0000
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-503.0001
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-503.0002
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-503.0003
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-503.0004
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-503.0005
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-503.0006
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-505.0000


((((((((((((((((((((((((((((((( Files Created from 2006-10-16 to 2006-11-16 ))))))))))))))))))))))))))))))))))


2006-11-16 00:20 360 --a------ F:\Combo.bat


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-16 00:18 -------- d-a------ F:\Program Files\Common Files
2006-11-16 00:09 -------- d-------- F:\Program Files\Hijackthis
2006-11-12 22:48 -------- d-------- F:\Program Files\Media
2006-11-12 20:38 -------- d-------- F:\Program Files\XoftSpySE
2006-11-02 21:45 -------- d-------- F:\Program Files\Yahoo!
2006-11-02 21:45 -------- d-------- F:\Program Files\Common Files\Scanner
2006-10-12 23:12 -------- d-------- F:\Program Files\OIN Search
2006-10-05 21:09 -------- d-------- F:\Program Files\FileZilla
2006-09-12 06:48 1713536 --a------ F:\WINNT\system32\NTKRNLPA.EXE
2006-09-12 06:48 1690880 --a------ F:\WINNT\system32\NTOSKRNL.EXE
2006-09-05 23:58 1110528 --a------ F:\WINNT\system32\msxml3.dll
2006-08-28 03:44 530192 --a------ F:\WINNT\system32\comctl32.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="\"F:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"Hsuh"="\"F:\\WINNT\\system32\\PPPATC~1\\attrib.exe\" -vt ndrv"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"TkBellExe"="\"F:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"PCSuiteTrayApplication"="F:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -onlytray"
"DataLayer"="F:\\Program Files\\Common Files\\PCSuite\\DataLayer\\DataLayer.exe"
"iTunesHelper"="\"F:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"F:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:c0000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="F:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
F:\WINNT\tasks\XoftSpySE.job

Completion time: Thu 2006-11-16 0:30:22.70
F:\ComboFix.txt ... 06-11-16 00:30
F:\ComboFix2.txt ... 06-11-16 00:19
  • 0

#4
MFDnSC
Posted 16 November 2006 - 10:54 AM

MFDnSC

    Banned

  • Banned
  • PipPipPipPip
  • 1,137 posts
Add remove programs – remove all occurrences of Viewpoint

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis – mark them, close IE, click fix checked

R3 - URLSearchHook: (no name) - {B02F7BED-EC7D-B1A2-7BE2-C39EFD405EB8} - F:\WINNT\system32\udemewbn.dll

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - F:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll

O2 - BHO: (no name) - {B02F7BED-EC7D-B1A2-7BE2-C39EFD405EB8} - F:\WINNT\system32\udemewbn.dll

O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - F:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

O4 - HKCU\..\Run: [Hsuh] "F:\WINNT\system32\PPPATC~1\attrib.exe" -vt ndrv

O8 - Extra context menu item: &Viewpoint Search - res://F:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

DownLoad http://www.downloads...org/KillBox.zip or
http://www.thespykil...les/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

F:\Documents and Settings\Adam Bor\My Documents\?icrosoft.NET
F:\WINNT\system32\PPPATC~1
F:\Program Files\Viewpoint
F:\WINNT\system32\udemewbn.dll


Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
  • 0

#5
nitro1001
Posted 16 November 2006 - 10:03 PM

nitro1001

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
OK I ran what you said, so far so good.
Here is the log from Combo FIx:

Adam Bor - Thu 11/16/2006 22:50:19.74 Service Pack 4
ComboFix 06.11.9 - Running from: "F:\Documents and Settings\Adam Bor\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

F:\QooBox\Purity\Documents and Settings\Adam Bor\My Documents\ICROSO~1.NET
F:\QooBox\Purity\Documents and Settings\Adam Bor\My Documents\ICROSO~1.NET\?explore.exe
F:\QooBox\Purity\Program Files\Common Files\PPATCH~1
F:\QooBox\Purity\WINNT\system32\PPPATC~1
F:\QooBox\Purity\WINNT\system32\PPPATC~1\attrib.exe
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-494.0000
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-494.0001
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-494.0002
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-494.0003
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-503.0000
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-503.0001
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-503.0002
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-503.0003
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-503.0004
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-503.0005
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-503.0006
F:\QooBox\Purity\WINNT\system32\PPPATC~1\?ppPatch\ctxad-505.0000


((((((((((((((((((((((((((((((( Files Created from 2006-10-16 to 2006-11-16 ))))))))))))))))))))))))))))))))))


2006-11-13 21:38 212 --a------ F:\delete.bat
2006-10-29 21:00 12,592 --a------ F:\WINNT\system32\drivers\usbscan.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-16 21:58 -------- d-------- F:\Program Files\Hijackthis
2006-11-16 00:18 -------- d-a------ F:\Program Files\Common Files
2006-11-12 22:48 -------- d-------- F:\Program Files\Media
2006-11-12 20:38 -------- d-------- F:\Program Files\XoftSpySE
2006-11-02 21:45 -------- d-------- F:\Program Files\Yahoo!
2006-11-02 21:45 -------- d-------- F:\Program Files\Common Files\Scanner
2006-10-12 23:12 -------- d-------- F:\Program Files\OIN Search
2006-10-05 21:09 -------- d-------- F:\Program Files\FileZilla
2006-09-12 06:48 1713536 --a------ F:\WINNT\system32\NTKRNLPA.EXE
2006-09-12 06:48 1690880 --a------ F:\WINNT\system32\NTOSKRNL.EXE
2006-09-05 23:58 1110528 --a------ F:\WINNT\system32\msxml3.dll
2006-08-28 03:44 530192 --a------ F:\WINNT\system32\comctl32.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="\"F:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"TkBellExe"="\"F:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"PCSuiteTrayApplication"="F:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -onlytray"
"DataLayer"="F:\\Program Files\\Common Files\\PCSuite\\DataLayer\\DataLayer.exe"
"iTunesHelper"="\"F:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"F:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,c0
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="F:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
F:\WINNT\tasks\XoftSpySE.job

Completion time: Thu 2006-11-16 22:52:10.82
F:\ComboFix.txt ... 06-11-16 22:52
F:\ComboFix2.txt ... 06-11-16 00:30
F:\ComboFix3.txt ... 06-11-16 00:19


And Here is the Log from Hijack This::::[u]



Logfile of HijackThis v1.99.1
Scan saved at 11:01:22 PM, on 11/16/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\WINNT\System32\svchost.exe
F:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
F:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
F:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
F:\WINNT\LogWatNT.exe
F:\WINNT\system32\regsvc.exe
F:\WINNT\system32\stisvc.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\Program Files\Linksys Wireless-G PCI Adapter\WLService.exe
F:\WINNT\system32\svchost.exe
F:\Program Files\Linksys Wireless-G PCI Adapter\WMP54Gv4.exe
F:\WINNT\Explorer.EXE
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
F:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
F:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\CA\eTrust\InoculateIT\Realmon.exe
F:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://football.fant...hoo.com/f2/5881
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://football.fant...hoo.com/f2/5881
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] F:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] F:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] "F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///F:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///F:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///F:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///F:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comne...iveSekurity.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://millithunder....com/iNotes.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - F:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O23 - Service: Ati HotKey Poller - Unknown owner - F:\WINNT\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - F:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - F:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - F:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - F:\WINNT\LogWatNT.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - F:\Program Files\Linksys Wireless-G PCI Adapter\WLService.exe" "WMP54Gv4.exe (file missing)



Thanks Again for the help, I hope I am all set... Can you advise what software I Can add to my system to protect myself in the future? Or should I just run one of these programs on a regular basis? Thanks!!!
  • 0

#6
MFDnSC
Posted 17 November 2006 - 08:45 AM

MFDnSC

    Banned

  • Banned
  • PipPipPipPip
  • 1,137 posts
Looks good


Get all of these and/or verify you have the current versions

SpywareBlaster 3.5.1 http://majorgeeks.co...wnload2859.html
SpyBot V1.4 http://www.majorgeek...wnload2471.html
AdAware SE 1.06 http://www.majorgeek...ownload506.html
MS Windows Defender - http://www.microsoft...;displaylang=en (XP and W2K only)

DownLoad them (they are free), install them, check each for their
definition updates and then run AdAware, MS Defender (W2k/XP) and Spybot, fixing anything they say.

In SpywareBlaster - Always enable all protection after updates
In SpyBot - After an update run immunize

Check for updates and run weekly
  • 0

#7
MFDnSC
Posted 28 November 2006 - 07:28 PM

MFDnSC

    Banned

  • Banned
  • PipPipPipPip
  • 1,137 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP