Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

So many viruses, please help

Started by jkt2009 , Jan 15 2007 05:45 PM

This topic is locked

#16
jkt2009

Posted 15 January 2007 - 10:09 PM

Member

Topic Starter
Member
24 posts

HAXFIX logfile - by Marckie

version 4.361
Mon 01/15/2007 21:03:18.12

--- Checking for Haxdoor ---

checking for a3d files
a3d files found
ps.a3d

checking for matching notify keys
matching notify keys found
vist

checking for matching services
matching services found
vistax
vistaj

checking for matching safeboot services
matching safeboot services found
vistax.sys
vistaj.sys

checking for other Haxdoor-files
no other Haxdoor-files found

--- Checking for Goldun ---

checking for SSODL keys
no ssodl keys found

checking for notify keys
no notify keys found

checking for services
no services found

checking for other Goldun-files
no other Goldun-files found

checking iexplore.exe
iexplore.exe is not infected

Finished!

#17
Ryan

Posted 15 January 2007 - 10:19 PM

Member 4k

Member
4,867 posts

You can just copy and paste the file path into the box.

After you submit it, please follow these instructions.

Option 2 autofix

Open this folder program files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
Close all other open windows since this step requires a reboot
Select option 2. Run auto fix by typing 2 and then pressing Enter

If an infection is found, you'll get a message to close all other open windows.

Close all open windows except the red dos window from haxfix and then press Enter
The computer will reboot
After reboot a logfile will open > (c:\haxfix.txt)
Post the contents of that logfile along with a new HijackThis log.

-Ryan

#18
jkt2009

Posted 15 January 2007 - 10:30 PM

Member

Topic Starter
Member
24 posts

Nice work, computer rebooted in normal mode. before reboot I couldn't even access your forum page to post info, had to use the laptop. New log files you requested:

HAXFIX logfile - by Marckie

version 4.361
Mon 01/15/2007 21:22:21.09

--- Auto Haxdoorfix ---

searching for files:

searching for services....
service vistax found
[SWSC] DeleteService SUCCESS
service vistaj found
[SWSC] DeleteService SUCCESS

--- Goldunfix ---

searching for files:

checking iexplore.exe
iexplore.exe is not infected

searching for SSODLkeys:
no SSODLkeys found

searching for notifykeys:
no notifykeys found

searching for services:
no services found

.....rebooting the computer.....

searching for ssodlkeys

not needed

searching for notifykeys

notifykey vistax not found

searching for services

service vistax not found
service vistaj not found

searching for safeboot services

safeboot service vistax.sys not found
safeboot service vistaj.sys not found

searching for files

vistax.dll exists
deleting vistax.dll
vistax.dll has been deleted

vistax.sys exists
deleting vistax.sys
vistax.sys has been deleted

vistaj.sys exists
deleting vistaj.sys
vistaj.sys has been deleted

checking for other files

klgcptini.dat exists
deleting klgcptini.dat
klgcptini.dat has been deleted

qz.dll exists
deleting qz.dll
qz.dll has been deleted

qz.sys exists
deleting qz.sys
qz.sys has been deleted

stt82.ini exists
deleting stt82.ini
stt82.ini has been deleted

checking for a3d files

ps.a3d
deleting a3d files
a3d files are deleted

Finished

Logfile of HijackThis v1.99.1
Scan saved at 9:25:56 PM, on 1/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\LEXBCES.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\LEXPPS.EXE
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\System32\alg.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\WINDOWS\System32\RioMSC.exe
F:\Program Files\Spyware Doctor\sdhelp.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\system32\sistray.EXE
F:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
F:\WINDOWS\AGRSMMSG.exe
F:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
F:\Program Files\Spyware Doctor\swdoctor.exe
F:\Program Files\Nikon\NkView4\NkVwMon.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\System32\dlcccoms.exe
F:\WINDOWS\System32\wuauclt.exe
F:\WINDOWS\System32\wbem\wmiprvse.exe
F:\Documents and Settings\Kelley\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=F:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - F:\WINDOWS\system32\HDBHO.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - F:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - F:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiS Tray] F:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] F:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLCCCATS] rundll32 F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlccmon.exe] "F:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "F:\Program Files\SpyCatcher\DeleteSatellite.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [TivoTransfer] "F:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /auto:TivoTransfer /registry /service
O4 - HKCU\..\Run: [Spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Scheduler.lnk = F:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkVwMon.exe.lnk = F:\Program Files\Nikon\NkView4\NkVwMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - https://www.topprodu...ds/msjavx86.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c420.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa....in/mgaxctrl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....02/cpbrkpie.cab
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - ms-its:mhtml:file://C:\ss.MHT!http://www.trafficho...les/initial.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Configuration Loading - Unknown owner - F:\WINDOWS\System32\svchos1.exe" -service (file missing)
O23 - Service: dlcc_device - Unknown owner - F:\WINDOWS\System32\dlcccoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - F:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - F:\WINDOWS\System32\RioMSC.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - F:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - F:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

#19
jkt2009

Posted 15 January 2007 - 10:34 PM

Member

Topic Starter
Member
24 posts

I was also able to now browse and send the vistax.dll to uploadmalware.com and remove the other java program you requested.

Edited by jkt2009, 15 January 2007 - 10:35 PM.

#20
Ryan

Posted 15 January 2007 - 11:12 PM

Member 4k

Member
4,867 posts

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

-Ryan

#21
jkt2009

Posted 15 January 2007 - 11:20 PM

Member

Topic Starter
Member
24 posts

Where is the extracted SDfix folder? Thanks for all your help on this

FOUND IT

Edited by jkt2009, 15 January 2007 - 11:24 PM.

#22
jkt2009

Posted 15 January 2007 - 11:31 PM

Member

Topic Starter
Member
24 posts

New Log files:

SDFix: Version 1.59

Mon 01/15/2007 - 22:25:23.56

Microsoft Windows XP [Version 5.1.2600]

Running From: F:\SDFix

Safe Mode:

Checking Services:

Name:

Path:

Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting

Normal Mode:

Checking Files:

Files will be copied to Backups folder then removed:

F:\WINDOWS\system32\_000002_.tmp.dll - Deleted
F:\WINDOWS\Installer\{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}\_SHCT_Sprint.exe.exe - Deleted
F:\WINDOWS\system32\TFTP1844 - Deleted

Alternate Stream Check:

F:\WINDOWS\system32
No streams found.
Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

Remaining Files:
---------------

Backups Folder: - F:\SDFix\backups\backups.zip

Listing Files with hidden attributes:

F:\NTDETECT.COM
F:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
F:\Program Files\Walgreens\Walgreens PhotoShow\data\Walgreens PhotoShow Express.exe
F:\WINDOWS\system32\cdplayer.exe.manifest
F:\WINDOWS\system32\logonui.exe.manifest
F:\pagefile.sys
F:\WINDOWS\uccspecb.sys
F:\Documents and Settings\Kyla\My Documents\~WRL0005.tmp
F:\WINDOWS\system32\config\default.tmp.LOG
F:\WINDOWS\system32\config\software.tmp.LOG
F:\WINDOWS\system32\config\system.tmp.LOG
F:\WINDOWS\Temp\OLD61.tmp
F:\WINDOWS\Temp\OLD64.tmp
F:\WINDOWS\Temp\OLD67.tmp
F:\WINDOWS\Temp\OLD6A.tmp
F:\WINDOWS\Temp\OLD6D.tmp
F:\WINDOWS\Temp\OLD70.tmp
F:\WINDOWS\Temp\OLD7A.tmp
F:\WINDOWS\Temp\OLD7D.tmp
F:\WINDOWS\Temp\OLD80.tmp
F:\WINDOWS\Temp\OLD83.tmp

Finished

Logfile of HijackThis v1.99.1
Scan saved at 10:29:12 PM, on 1/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\LEXBCES.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\LEXPPS.EXE
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\WINDOWS\System32\RioMSC.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\System32\wuauclt.exe
F:\WINDOWS\system32\sistray.EXE
F:\WINDOWS\AGRSMMSG.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\Program Files\Java\jre1.6.0\bin\jusched.exe
F:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\System32\dlcccoms.exe
F:\Program Files\Nikon\NkView4\NkVwMon.exe
F:\Documents and Settings\Kelley\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - F:\WINDOWS\system32\HDBHO.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiS Tray] F:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] F:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLCCCATS] rundll32 F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlccmon.exe] "F:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [TivoTransfer] "F:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /auto:TivoTransfer /registry /service
O4 - Startup: Scheduler.lnk = F:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkVwMon.exe.lnk = F:\Program Files\Nikon\NkView4\NkVwMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - https://www.topprodu...ds/msjavx86.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c420.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa....in/mgaxctrl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....02/cpbrkpie.cab
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - ms-its:mhtml:file://C:\ss.MHT!http://www.trafficho...les/initial.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Configuration Loading - Unknown owner - F:\WINDOWS\System32\svchos1.exe" -service (file missing)
O23 - Service: dlcc_device - Unknown owner - F:\WINDOWS\System32\dlcccoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - F:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - F:\WINDOWS\System32\RioMSC.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - F:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

#23
Ryan

Posted 15 January 2007 - 11:50 PM

Member 4k

Member
4,867 posts

== HJT Entries ==

You will want to print out a copy of these instructions to follow while you complete this procedure, as you will not be able to access the internet later in the fix.

Open HiJack This and scan. When it finishes, put an X in the box next to these following item(s)

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - SOFTWARE - (no file)
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - https://www.topprodu...ds/msjavx86.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c420.cab
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - ms-its:mhtml:file://C:\ss.MHT!http://www.trafficho...les/initial.cab
O23 - Service: Configuration Loading - Unknown owner - F:\WINDOWS\System32\svchos1.exe" -service (file missing)

Close all open windows except for HiJack This and click fix checked.

Next, copy the following line, and then paste it into the Run dialog box (found by going to Start, and then Run): sc delete "Configuration Loading"

== AVG Anti-Spyware ==

Open AVG Anti-Spyware

On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

-Ryan

#24
jkt2009

Posted 16 January 2007 - 12:53 AM

Member

Topic Starter
Member
24 posts

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:49:36 PM 1/15/2007

+ Scan result:

F:\System Volume Information\_restore{BF5ACF71-0ED2-4019-BB84-60CDD5BE23AD}\RP1\A0001087.sys -> Backdoor.Haxdoor.in : Cleaned.
F:\System Volume Information\_restore{BF5ACF71-0ED2-4019-BB84-60CDD5BE23AD}\RP1\A0001097.sys -> Backdoor.Haxdoor.in : Cleaned.
F:\System Volume Information\_restore{BF5ACF71-0ED2-4019-BB84-60CDD5BE23AD}\RP1\A0001086.dll -> Backdoor.Haxdoor.jb : Cleaned.
F:\System Volume Information\_restore{BF5ACF71-0ED2-4019-BB84-60CDD5BE23AD}\RP1\A0001096.dll -> Backdoor.Haxdoor.jb : Cleaned.
F:\Documents and Settings\Kelley\Cookies\kelley@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
F:\Documents and Settings\Kelley\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
F:\Documents and Settings\Kelley\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
F:\Documents and Settings\Kelley\Cookies\kelley@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.

::Report end

What's next?

Thanks,

Kelley

#25
Ryan

Posted 16 January 2007 - 01:03 AM

Member 4k

Member
4,867 posts

Please do an online scan with Kaspersky WebScanner
You will need to use Internet Explorer to do this

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post, along with a new HiJack This log.

-Ryan

#26
jkt2009

Posted 16 January 2007 - 01:53 AM

Member

Topic Starter
Member
24 posts

Not sure if the link works for you:

F:\Documents and Settings\Kelley\Desktop\kaspersky.html

KASPERSKY ONLINE SCANNER REPORTKASPERSKY ONLINE SCANNER REPORT
Tuesday, January 16, 2007 12:49:30 AM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build
2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 16/01/2007
Kaspersky Anti-Virus database records: 258702

Scan Settings
Scan using the following antivirus databaseextended
Scan Archivestrue
Scan Mail Basestrue

Scan TargetMy Computer
A:\
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects38930
Number of viruses found12
Number of infected objects24 / 0
Number of suspicious objects6
Duration of the scan process00:34:54

Infected Object NameVirus NameLast Action
F:\1200f7961e4bf8b20da98a\$shtdwn$.req Object is locked skipped

F:\1200f7961e4bf8b20da98a\mrt.exe Object is locked skipped

F:\1200f7961e4bf8b20da98a\mrtstub.exe Object is locked skipped

F:\Documents and Settings\Administrator\My
Documents\DivXPro511Adware.exe/stream/data0019 Infected:
not-a-virus:AdWare.Win32.Gator.3202 skipped

F:\Documents and Settings\Administrator\My
Documents\DivXPro511Adware.exe/stream Infected:
not-a-virus:AdWare.Win32.Gator.3202 skipped

F:\Documents and Settings\Administrator\My Documents\DivXPro511Adware.exe
NSIS: infected - 2 skipped

F:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\DSS\MachineKeys\9a1c52dbc51398bfe7e179372b4e8787_803f4984-f9e8-47c9-9d95-bd58f7c8c2b9
Object is locked skipped

F:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\a18c1621c526ee856e8c5bbe771a4ad8_803f4984-f9e8-47c9-9d95-bd58f7c8c2b9
Object is locked skipped

F:\Documents and Settings\All Users\Application Data\Microsoft\Dr
Watson\user.dmp Object is locked skipped

F:\Documents and Settings\All Users\Application Data\Symantec\Common
Client\settings.dat Object is locked skipped

F:\Documents and Settings\Kelley\Cookies\index.dat Object is locked
skipped

F:\Documents and
Settings\Kelley\Desktop\backups\backup-20070115-230120-478 Suspicious:
Exploit.HTML.Mht skipped

F:\Documents and Settings\Kelley\Desktop\hijackthis Log2.txt Suspicious:
Exploit.HTML.Mht skipped

F:\Documents and Settings\Kelley\Desktop\hijackthis.log Suspicious:
Exploit.HTML.Mht skipped

F:\Documents and Settings\Kelley\Desktop\hijackthis3.txt Suspicious:
Exploit.HTML.Mht skipped

F:\Documents and Settings\Kelley\Desktop\hijackthis4.txt Suspicious:
Exploit.HTML.Mht skipped

F:\Documents and Settings\Kelley\Desktop\SmitfraudFix\Reboot.exe Infected:
not-a-virus:RiskTool.Win32.Reboot.f skipped

F:\Documents and
Settings\Kelley\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe
Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

F:\Documents and Settings\Kelley\Desktop\SmitfraudFix.exe/data.rar
Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

F:\Documents and Settings\Kelley\Desktop\SmitfraudFix.exe RarSFX: infected
- 2 skipped

F:\Documents and Settings\Kelley\Local Settings\Application
Data\Identities\{7205F16D-4F5A-4DA3-9858-980986B05F7A}\Microsoft\Outlook
Express\alt.binaries.dvd.erotica.repost.dbx/[From
[email protected]][Date Wed, 29 Dec 2004 03:38:06
GMT]/SisterFingering.scr Infected: Backdoor.Win32.Small.ct skipped

F:\Documents and Settings\Kelley\Local Settings\Application
Data\Identities\{7205F16D-4F5A-4DA3-9858-980986B05F7A}\Microsoft\Outlook
Express\alt.binaries.dvd.erotica.repost.dbx Mail MS Outlook 5: infected -
1 skipped

F:\Documents and Settings\Kelley\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

F:\Documents and Settings\Kelley\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

F:\Documents and Settings\Kelley\Local
Settings\History\History.IE5\index.dat Object is locked skipped

F:\Documents and Settings\Kelley\Local Settings\Temp\Temporary Directory 1
for hijackthis[1].zip\hijackthis.log Suspicious: Exploit.HTML.Mht skipped

F:\Documents and Settings\Kelley\Local Settings\Temporary Internet
Files\Content.IE5\index.dat Object is locked skipped

F:\Documents and Settings\Kelley\NTUSER.DAT Object is locked skipped

F:\Documents and Settings\Kelley\NTUSER.DAT.LOG Object is locked skipped

F:\Documents and Settings\LocalService\Cookies\index.dat Object is locked
skipped

F:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

F:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

F:\Documents and Settings\LocalService\Local
Settings\History\History.IE5\index.dat Object is locked skipped

F:\Documents and Settings\LocalService\Local Settings\Temporary Internet
Files\Content.IE5\index.dat Object is locked skipped

F:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

F:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked
skipped

F:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

F:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

F:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked
skipped

F:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked
skipped

F:\ebf5d7af4d774035c990d955\empty.cat Object is locked skipped

F:\ebf5d7af4d774035c990d955\msi.dll Object is locked skipped

F:\ebf5d7af4d774035c990d955\msiexec.exe Object is locked skipped

F:\ebf5d7af4d774035c990d955\msihnd.dll Object is locked skipped

F:\ebf5d7af4d774035c990d955\msimsg.dll Object is locked skipped

F:\ebf5d7af4d774035c990d955\msisip.dll Object is locked skipped

F:\ebf5d7af4d774035c990d955\spmsg.dll Object is locked skipped

F:\ebf5d7af4d774035c990d955\spuninst.exe Object is locked skipped

F:\ebf5d7af4d774035c990d955\update\eula.txt Object is locked skipped

F:\ebf5d7af4d774035c990d955\update\kb893803v2_net.cat Object is locked
skipped

F:\ebf5d7af4d774035c990d955\update\kb893803v2_w2k.cat Object is locked
skipped

F:\ebf5d7af4d774035c990d955\update\kb893803v2_wxp.cat Object is locked
skipped

F:\ebf5d7af4d774035c990d955\update\spcustom.dll Object is locked skipped

F:\ebf5d7af4d774035c990d955\update\update.exe Object is locked skipped

F:\ebf5d7af4d774035c990d955\update\update.ver Object is locked skipped

F:\ebf5d7af4d774035c990d955\update\updatebr.inf Object is locked skipped

F:\ebf5d7af4d774035c990d955\update\update_w2k3.inf Object is locked
skipped

F:\ebf5d7af4d774035c990d955\update\update_win2k.inf Object is locked
skipped

F:\ebf5d7af4d774035c990d955\update\update_wxp.inf Object is locked skipped

F:\ebf5d7af4d774035c990d955\update\updspapi.dll Object is locked skipped

F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log
Object is locked skipped

F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log
Object is locked skipped

F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log
Object is locked skipped

F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log
Object is locked skipped

F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object
is locked skipped

F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log
Object is locked skipped

F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log
Object is locked skipped

F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log
Object is locked skipped

F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log
Object is locked skipped

F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log
Object is locked skipped

F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log
Object is locked skipped

F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log
Object is locked skipped

F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log
Object is locked skipped

F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log
Object is locked skipped

F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log
Object is locked skipped

F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log
Object is locked skipped

F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log
Object is locked skipped

F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log
Object is locked skipped

F:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object
is locked skipped

F:\System Volume
Information\_restore{BF5ACF71-0ED2-4019-BB84-60CDD5BE23AD}\RP4\change.log
Object is locked skipped

F:\WINDOWS\Debug\oakley.log Object is locked skipped

F:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

F:\WINDOWS\esba-4.exe/WISE0007.BIN Infected: Backdoor.Win32.Ruledor.e
skipped

F:\WINDOWS\esba-4.exe/WISE0008.BIN Infected:
Trojan-Downloader.Win32.Agent.ab skipped

F:\WINDOWS\esba-4.exe/WISE0009.BIN Infected:
not-a-virus:AdWare.Win32.SpecialOffers.a skipped

F:\WINDOWS\esba-4.exe/WISE0010.BIN Infected: Trojan-Dropper.Win32.Small.gj
skipped

F:\WINDOWS\esba-4.exe/WISE0011.BIN Infected:
Trojan-Downloader.Win32.IstBar.er skipped

F:\WINDOWS\esba-4.exe WiseSFX: infected - 5 skipped

F:\WINDOWS\SchedLgU.Txt Object is locked skipped

F:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked
skipped

F:\WINDOWS\Sti_Trace.log Object is locked skipped

F:\WINDOWS\system32\a_i_037.dll/data0001 Infected:
Trojan-Downloader.Win32.IstBar.iu skipped

F:\WINDOWS\system32\a_i_037.dll/data0003 Infected:
Trojan-Downloader.Win32.IstBar.nn skipped

F:\WINDOWS\system32\a_i_037.dll NSIS: infected - 2 skipped

F:\WINDOWS\system32\a_i_037.dll Exe2Dll: infected - 2 skipped

F:\WINDOWS\system32\a_i_037.dll UPX: infected - 2 skipped

F:\WINDOWS\system32\a_i_037.exe/data0001 Infected:
Trojan-Downloader.Win32.IstBar.iu skipped

F:\WINDOWS\system32\a_i_037.exe/data0003 Infected:
Trojan-Downloader.Win32.IstBar.nn skipped

F:\WINDOWS\system32\a_i_037.exe NSIS: infected - 2 skipped

F:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

F:\WINDOWS\system32\config\default Object is locked skipped

F:\WINDOWS\system32\config\default.LOG Object is locked skipped

F:\WINDOWS\system32\config\SAM Object is locked skipped

F:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

F:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

F:\WINDOWS\system32\config\SECURITY Object is locked skipped

F:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

F:\WINDOWS\system32\config\software Object is locked skipped

F:\WINDOWS\system32\config\software.LOG Object is locked skipped

F:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

F:\WINDOWS\system32\config\system Object is locked skipped

F:\WINDOWS\system32\config\system.LOG Object is locked skipped

F:\WINDOWS\system32\h323log.txt Object is locked skipped

F:\WINDOWS\system32\shawn.exe Infected:
not-a-virus:AdWare.Win32.EliteBar.ac skipped

F:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked
skipped

F:\WINDOWS\wiadebug.log Object is locked skipped

F:\WINDOWS\wiaservc.log Object is locked skipped

F:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

---------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:55:13 AM, on 1/16/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\LEXBCES.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\LEXPPS.EXE
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\sistray.EXE
F:\WINDOWS\AGRSMMSG.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\Program Files\Java\jre1.6.0\bin\jusched.exe
F:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
F:\Program Files\Nikon\NkView4\NkVwMon.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\WINDOWS\System32\RioMSC.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\System32\dlcccoms.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\WINDOWS\System32\wuauclt.exe
F:\Documents and Settings\Kelley\Desktop\HijackThis.exe

O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - F:\WINDOWS\system32\HDBHO.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiS Tray] F:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] F:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLCCCATS] rundll32 F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlccmon.exe] "F:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [TivoTransfer] "F:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /auto:TivoTransfer /registry /service
O4 - Startup: Scheduler.lnk = F:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkVwMon.exe.lnk = F:\Program Files\Nikon\NkView4\NkVwMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa....in/mgaxctrl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....02/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: dlcc_device - Unknown owner - F:\WINDOWS\System32\dlcccoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - F:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - F:\WINDOWS\System32\RioMSC.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - F:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

Edited by jkt2009, 16 January 2007 - 01:55 AM.

#27
jkt2009

Posted 16 January 2007 - 09:08 AM

Member

Topic Starter
Member
24 posts

You guys are awesome, Ryan really helped me out last night. Hopefully the computer is almost clean. let me know what else I can do. Here is the Panda Log Report:

Virus 1 1
Spyware 13 0
Hacking tools and rootkits 6 0
Dialers 1 0
Security Risks 0 0
Suspicious files 0 0

Incident Status Location

Spyware:spyware/clearsearch Not disinfected f:\program files\ClearSearch
Adware:adware/sidesearch Not disinfected f:\program files\Lycos
Potentially unwanted tool:application/myway Not disinfected f:\program files\MySearch
Adware:adware/searchforit Not disinfected f:\program files\sf
Dialer:dialer.b Not disinfected hkey_classes_root\clsid\{0E4796D6-A990-4372-9069-72FBDB4AE868}
Adware:adware/instdollars Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:adware/sahagent Not disinfected Windows Registry
Adware:adware/sqwire Not disinfected Windows Registry
Adware:adware/fastfind Not disinfected Windows Registry
Adware:Adware/Gator Not disinfected F:\Documents and Settings\Administrator\My Documents\DivXPro511Adware.exe[Gain_Trickler.exe]
Spyware:Cookie/Hitbox Not disinfected F:\Documents and Settings\Kelley\Cookies\kelley@hitbox[2].txt
Spyware:Cookie/MetriWeb Not disinfected F:\Documents and Settings\Kelley\Cookies\kelley@metriweb[1].txt
Potentially unwanted tool:Application/Processor Not disinfected F:\Documents and Settings\Kelley\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected F:\Documents and Settings\Kelley\My Documents\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected F:\Program Files\HaxFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected F:\SDFix\apps\Process.exe
Virus:Trj/Downloader.CJX Disinfected F:\WINDOWS\system32\a_i_037.dll
Adware:Adware/IST.ISTBar Not disinfected F:\WINDOWS\system32\a_i_037.exe
Potentially unwanted tool:Application/Processor Not disinfected F:\WINDOWS\system32\Process.exe
Adware:Adware/EliteBar

Thanks again,

Kelley

#28
Ryan

Posted 16 January 2007 - 02:46 PM

Member 4k

Member
4,867 posts

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:
- Delete on Reboot
- then Click on the All Files button.

Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

"F:\Documents and Settings\Administrator\My Documents\DivXPro511Adware.exe"
F:\WINDOWS\esba-4.exe
F:\WINDOWS\system32\a_i_037.dll
F:\WINDOWS\system32\shawn.exe
"f:\program files\ClearSearch"
"f:\program files\Lycos"
"f:\program files\MySearch"
"f:\program files\sf"

Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

How is your copmuter working now?

-Ryan

#29
jkt2009

Posted 16 January 2007 - 02:53 PM

Member

Topic Starter
Member
24 posts

It is starting to come around. A few pesky suckers left to elimininate.
I am at work, but am going home to perform your latest request in 30 minutes. I will post a new hijack log when completed. Thanks again Ryan.

#30
jkt2009

Posted 16 January 2007 - 03:36 PM

Member

Topic Starter
Member
24 posts

Cant execute Killbox, "the feature you are trying to use is on a network source that is unavailable.. .enter an alternate path to a folder containing the installation package formviewer_setup3.2.7[1].msi' in the box below"