Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Another "Spy Away" and "Perfect Cleaner" victim [R


  • This topic is locked This topic is locked

#1
fnkac

fnkac

    New Member

  • Member
  • Pip
  • 5 posts
I am a "me too" on the "Spy Away" and "Perfect Cleaner" pop-ups
on my Dell Inspiron E1405 XP system running Trend Micro
PC-Cillan. Both windows and PC-Cillan were current pre-infection.
Besides the pop-ups, there were fake Windows Security Center
bulletins popping up. Attempts to google symptoms of the
problem from that system redirected me so I disconnected
infected system from network and did research from a safe
system. Rebooting infected system into safe mode also
got the pop-ups and fake security bulletins.

Running AVG Anti-spyware fixed 12 things, it would not let me save
a report. Problems persisted.

Running SUPERAntiSpyware fixed more and stopped the pop-ups.
Upon reboot getting:
RegSvr32
LoadLibrary C:\Documents...\All...\Application Data\hwfwfcze.dll
not found.
I'll attach the log from the scan.

Running Panda Activscan was problematic.
During the run an IE page opened for online gambling
(*NOT* something I have ever been to).
After identifying 80+ the scan paused and the following
popped up:
Microsoft Office Outlook
No profiles have been created.
To create a new profile...
My hands were off the keyboard during the scan.
When I attempted to close that window IE died and so did
the scan.
Second run of panda ran awhile and a pop-up regarding
adobe came up, trying to close that again aborted scan.
Third run an IE page tried to open and failed on some
ad page and again the outlook pop-up. I left it
alone and when the scan paused (hung?) on M: (optical
drive, nothing in it). I stopped it and saved report.

Rebooted, again the LoadLibrary failure with hwfwfcze.dll.
Generated the Hijack This log at this point.

Reinstalling and restoring is an option for me on this
system if necessary (I have good backups), but that
doesn't help the community in identifying what the
problem is and how to squash it.

SUPERAntiSpyware Scan Log
Generated 03/02/2008 at 06:41 PM

Application Version : 3.6.1000

Core Rules Database Version : 3412
Trace Rules Database Version: 1404

Scan type : Complete Scan
Total Scan Time : 01:40:18

Memory items scanned : 629
Memory threats detected : 3
Registry items scanned : 6396
Registry threats detected : 31
File items scanned : 88689
File threats detected : 58

Rogue.Unclassified/Loader
C:\WINDOWS\SYSTEM32\MGMRWMRV.EXE
C:\WINDOWS\SYSTEM32\MGMRWMRV.EXE
C:\WINDOWS\QZYXEJSJ.EXE
C:\WINDOWS\Prefetch\MGMRWMRV.EXE-03C7337E.pf

Trojan.Unclassified/Out-Variant
C:\WINDOWS\HMTIXUBK.DLL
C:\WINDOWS\HMTIXUBK.DLL
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\HWFWFCZE.DLL
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\HWFWFCZE.DLL

Adware.webHancer
HKLM\Software\Classes\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0}
HKCR\CLSID\{C900B400-CDFE-11D3-976A-00E02913A9E0}
HKCR\CLSID\{C900B400-CDFE-11D3-976A-00E02913A9E0}
HKCR\CLSID\{C900B400-CDFE-11D3-976A-00E02913A9E0}\InprocServer32
HKCR\CLSID\{C900B400-CDFE-11D3-976A-00E02913A9E0}\InprocServer32#ThreadingModel
HKCR\CLSID\{C900B400-CDFE-11D3-976A-00E02913A9E0}\ProgID
HKCR\CLSID\{C900B400-CDFE-11D3-976A-00E02913A9E0}\Programmable
HKCR\CLSID\{C900B400-CDFE-11D3-976A-00E02913A9E0}\VersionIndependentProgID
C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WHIEHLPR.DLL

Adware.AdBreak
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}
C:\WINDOWS\FHFMM-UNINSTALLER.EXE
C:\WINDOWS\FHFMM.EXE
C:\WINDOWS\HCWPRN.EXE
C:\WINDOWS\KKCOMP.DLL
C:\WINDOWS\KKCOMP.EXE
C:\WINDOWS\KVNAB.DLL
C:\WINDOWS\KVNAB.EXE
C:\WINDOWS\LIQAD.DLL
C:\WINDOWS\LIQAD.EXE
C:\WINDOWS\LIQUI-UNINSTALLER.EXE
C:\WINDOWS\LIQUI.DLL
C:\WINDOWS\LIQUI.EXE
C:\WINDOWS\PBSYSIE.DLL
C:\WINDOWS\SETTN.DLL
C:\WINDOWS\WBECHECK.EXE
C:\WINDOWS\XADBRK.DLL
C:\WINDOWS\XADBRK.EXE
C:\WINDOWS\XADBRK_.EXE

411Ferret Toolbar
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{12F02779-6D88-4958-8AD3-83C12D86ADC7}

Adware.AdBlaster
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}

AdBars BHO
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}

Adware.404Search
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP3\A0000026.DLL

Adware.Accoona
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}

Trojan.PBar
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}

Browser Hijacker.Internet Explorer Zone Hijack
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click#http
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click#https
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click#http
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click#https
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect#http
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect#https

Adware.AdSponsor/ISM
HKU\S-1-5-21-3408571157-3006267501-1347063301-1006\Software\QdrModule
HKU\S-1-5-21-3408571157-3006267501-1347063301-1006\Software\QdrPack
C:\Documents and Settings\KJL\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\KJL\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\KJL\Start Menu\Programs\Internet Speed Monitor

Adware.Tracking Cookie
C:\Documents and Settings\KAC\Cookies\[email protected][1].txt
C:\Documents and Settings\KAC\Cookies\[email protected][2].txt
C:\Documents and Settings\KAC\Cookies\[email protected][1].txt
C:\Documents and Settings\KAC\Cookies\[email protected][1].txt
C:\Documents and Settings\KAC\Cookies\[email protected][2].txt
C:\Documents and Settings\KAC\Cookies\[email protected][2].txt
C:\Documents and Settings\KAC\Cookies\[email protected][1].txt
C:\Documents and Settings\KAC\Cookies\[email protected][1].txt
C:\Documents and Settings\KAC\Cookies\[email protected][1].txt
C:\Documents and Settings\KAC\Cookies\[email protected][2].txt
C:\Documents and Settings\KAC\Cookies\[email protected][1].txt
C:\Documents and Settings\KAC\Cookies\[email protected][2].txt
C:\Documents and Settings\KAC\Cookies\[email protected][1].txt
C:\Documents and Settings\KAC\Cookies\[email protected][1].txt
C:\Documents and Settings\KAC\Cookies\[email protected][1].txt
C:\Documents and Settings\KAC\Cookies\[email protected][1].txt
C:\Documents and Settings\KAC\Cookies\[email protected][1].txt
C:\Documents and Settings\KAC\Cookies\[email protected][2].txt
C:\Documents and Settings\KAC\Cookies\[email protected][2].txt
C:\Documents and Settings\KAC\Cookies\[email protected][3].txt
C:\Documents and Settings\KAC\Cookies\[email protected][1].txt
C:\Documents and Settings\KAC\Cookies\[email protected][1].txt
C:\Documents and Settings\KAC\Cookies\[email protected][1].txt
C:\Documents and Settings\KAC\Cookies\[email protected][2].txt
C:\Documents and Settings\KAC\Cookies\[email protected][1].txt
C:\Documents and Settings\KAC\Cookies\[email protected][1].txt
C:\Documents and Settings\KAC\Cookies\[email protected][1].txt

Adware.k8l
C:\PROGRAM FILES\MESSENGER\DIXORE.HTML

Unclassified.Unknown Origin/System
C:\WINDOWS\SYSTEM32\ESHOPEE.EXE

Trojan.Fakespy-B
C:\WINDOWS\SYSTEM32\MSOLE32.EXE

--

From Activescan:

Incident Status Location

Potentially unwanted tool:application/activitymon Not disinfected c:\program files\amsys
Adware:adware/activshopper Not disinfected c:\program files\e-zshopper
Adware:adware/adbars Not disinfected Windows Registry
Adware:adware/mirar Not disinfected Windows Registry
Dialer:dialer.xd Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{54645654-2225-4455-44A1-9F4543D34546}
Adware:adware/activesearch Not disinfected Windows Registry
Adware:adware/deskwizz Not disinfected Windows Registry
Adware:adware/404search Not disinfected Windows Registry
Adware:adware/adblaster Not disinfected Windows Registry
Adware:adware/adsincontext Not disinfected Windows Registry
Adware:adware/webhancer Not disinfected Windows Registry
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\KJL\Cookies\[email protected][1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\KJL\Cookies\[email protected][2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\KJL\Cookies\[email protected][2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\KJL\Cookies\[email protected][1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\KJL\Cookies\[email protected][2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\KJL\Cookies\[email protected][2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\KJL\Cookies\[email protected][2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\KJL\Cookies\[email protected][1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\KJL\Cookies\[email protected][1].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\KJL\Cookies\[email protected][2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\KJL\Cookies\[email protected][1].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\KJL\Cookies\[email protected][1].txt
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\KJL\Cookies\[email protected][1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\KJL\Cookies\[email protected][1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\KJL\Cookies\[email protected][2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\KJL\Cookies\[email protected][1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\KJL\Cookies\[email protected][1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\KJL\Cookies\[email protected][1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\KJL\Cookies\[email protected][1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\KJL\Cookies\[email protected][2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\KJL\Cookies\[email protected][1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\KJL\Cookies\[email protected][2].txt
Possible Virus. Not disinfected C:\Program Files\MSN Gaming Zone\zsetup.exe
Virus:Eicar.Mod Not disinfected C:\Program Files\Trend Micro\Internet Security 12\tmhelp.chm[/PCC12/Test_virus.htm]
Possible Virus. Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\zsetup.exe
Adware:Adware/Adband Not disinfected C:\WINDOWS\system32\000070.exe[ism.exe]

--

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:26:52 AM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061123
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///c:/documents%20and%20settings/all%20users/documents/bookmarks.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file:///c:/documents%20and%20settings/all%20users/documents/bookmarks.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file:///c:/documents%20and%20settings/all%20users/documents/bookmarks.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061123
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {00e7e722-1dd2-11b2-aff7-ac910f9327fe} - C:\WINDOWS\hmtixubk.dll (file missing)
O2 - BHO: (no name) - {019AEC30-DD6D-47C4-8806-2260F5B3DCF3} - C:\Program Files\Windows Plus\vidy555077.dll (file missing)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {94B89C30-9567-4CFE-A941-F8F5061E7B2C} - C:\Program Files\Windows NT\gunete777444.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hwfwfcze] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\hwfwfcze.dll"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [QdrModule13] "C:\Program Files\QdrModule\QdrModule13.exe"
O4 - HKCU\..\Run: [QdrPack13] "C:\Program Files\QdrPack\QdrPack13.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1164837005859
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.104/app/view22RTE.cab
O16 - DPF: {C7E002D6-324B-4500-883D-84B620FD8640} (Bridge Installer) - http://cdn2.zone.msn...6/heartbeat.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 12444 bytes
  • 0

Advertisements


#2
fnkac

fnkac

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
After reviewing the hijackthis logs with what was reported by ChrisCox86 with
mine I tried ComboFix: nothing to lose since I'm ready to reinstall otherwise.
By appearances, my system is fixed:
Desktop screen from warning to blue
No loader errors on startup
No spontaneous web page pop-ups
Ctrl/Alt/Del brings up task manager again.

Am I fixed (logs attached)?

I'm a UNIX geek not a Windows geek.
From what I do know of Windows, if I was infected to this degree
(interfered in Safe Mode as well), if the author of the malware
is clever enough they could have left infection in either the
small windows partition or the Dell recovery partition on the
disk and as-yet-undetected files to reinfect me.
The only "true" solution is to format disk and reinstall
from known good media... of course, this is impossible:
1. Dell ships recovery partition not recovery DVD.
2. To update Windows (etc) one has to get onto network which exposes system again.
Since we "do all the right things" for updates, anti-virus,
anti-spyware getting hit is disturbing.

So:
Anybody know enough details of this infection to gauge probably of reinfection?
Anybody know how this is being distributed?

Regards, Kurt

Attached Files


Edited by Rorschach112, 04 March 2008 - 05:54 PM.
Removed email address

  • 0

#3
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there and sorry for the delay

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\B316.tmp
C:\WINDOWS\POTA777444.exe
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\s.dll
C:\TEMP\.deleted
C:\WINDOWS\hmtixubk.dll

Folder::
C:\Program Files\Windows Plus
C:\Program Files\QdrModule
C:\Program Files\QdrPack

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00e7e722-1dd2-11b2-aff7-ac910f9327fe}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{019AEC30-DD6D-47C4-8806-2260F5B3DCF3}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QdrModule13"=-
"QdrPack13"=-

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#4
fnkac

fnkac

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thanks for the assistance.

Attached are new ComboFix and HijackThis logs.

Can you point me to any description of what these problems
are and where they might have come from?

Likewise, if there is any technical description of
these tools you could point me to I'd appreciate that.
Only parts of the logs are self explanatory. I doubt I'll
ever become a Windows geek to the extent I am with UNIX,
but trying to understand what's happening here seems
like first defense in preventing it from reoccurring.
Again, Thanks. Kurt

Attached Files


  • 0

#5
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

Can you point me to any description of what these problems
are and where they might have come from?

Basically they are generic trojan downloaders - these ones appear to have come from a codec download C:\Program Files\QdrModule

Likewise, if there is any technical description of
these tools you could point me to I'd appreciate that.
Only parts of the logs are self explanatory.

Unfortunately due to the nature of the battles we fight the exact purpose of these programmes must of a necessity be secured. Suffice it to say they know where to look for malware injection points and give a list of certain file areas

OK those two logs looked good - so now I will do a registry sweep to clear any orphan entries

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

How is your computer running now?
  • 0

#6
fnkac

fnkac

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
First mbam quick scan from login KAC was clean.

Second mbam quick scan from login KJL found:

Registry Keys Infected:
HKEY_CURRENT_USER\Software\QdrDrive (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\xflock (Malware.Trace) -> Quarantined and deleted successfully.

Twice from KAC login I have had svchost application errors
"The memory could not be read". First time hung the
computer hard when I attempted to diagnose. Had to power
cycle. Second time closed Ok (didn't try to diagnose).
Rebooted and no additional errors in an hours usage since then.
So I am not entirely sure that computer is running Ok.
I Will be using it cautiously for a week or two.
  • 0

#7
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Now the best part of the day ----- Your log now appears clean :)

You may now delete the files I had you download


Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done



Now that you are clean, to help protect your computer in the future I recommend that you get the following free program: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?


Keep safe :) I will keep this thread open for a few more days just to be sure
  • 0

#8
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP