Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Lots of popups at work....please help [CLOSED]


  • This topic is locked This topic is locked

#1
Skidroc

Skidroc

    Member

  • Member
  • PipPip
  • 63 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:34:03 AM, on 7/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\system32\capllstyle.exe
C:\WINDOWS\system32\cabkperf.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Aprps\CxtPls.exe
C:\WINDOWS\system32\jannar.exe
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HIJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com...DT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com...DT/0409/bl7.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 172.28.8.*;wtsawww3;bpm.wtsa.com;fescoweb
O1 - Hosts: 205.218.54.132 wtsawww2
O1 - Hosts: 172.28.8.18 GENSYS1
O1 - Hosts: 172.28.8.30 EDIDEV1
O1 - Hosts: 172.28.8.25 EDISERV1
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [sE5X3si] capllstyle.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\jannar.exe reg_run
O4 - HKCU\..\Run: [dpu7RiG8l] cabkperf.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: map.bat
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://my.uo.com/fonts/tdserver.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.wtsa.com/citrix/wficat.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1118159385453
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C738559-A106-4D07-A597-018428CA8289}: NameServer = 205.218.54.80,0.0.0.0
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)
  • 0

Advertisements


#2
Kristy

Kristy

    Visiting Consultant

  • Member
  • PipPipPipPip
  • 1,099 posts
Hello and welcome to Geeks To Go.

Lets start out with some general scans and see if we cant clean things up a little.

+++++ Step 1 +++++

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

+++++ Step 2 +++++

Update HiJackThis
  • Open HiJackThis
  • Click Open the Misc Tools Section
  • Click Check for update online
+++++ Step 3 +++++

After that, I will need to see two different logs from HiJackThis. The first is the normal log like you posted here. To get the other one, follow these directions.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Post back with those logs and we can continue from there.

If you have recieved help elsewhere or no longer need our assistance, please let us know.

~Kristy
  • 0

#3
Skidroc

Skidroc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
Heres the Trendmicro report:


Virus Scan 0 virus cleaned, 10 viruses deleted


Results:
We have detected 11 infected file(s) with 11 virus(es) on your computer. Only 0 out of 0 infected files are displayed: - 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 10 virus(es) deleted, 1 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected File Associated Virus Name Action Taken
C:\Documents and Settings\JSkidmore\Local Settings\Temp\Del1B.tmp TROJ_AGENT.RS Deletion successful
C:\Documents and Settings\JSkidmore\Local Settings\Temp\f641468.exe TROJ_QOOLOGIC.D Deletion successful
C:\RECYCLER\S-1-5-21-1898082997-3087016331-799121778-500\Dc6.exe TROJ_STARTPAG.QY Deletion successful
C:\WINDOWS\system32\conres.cpl TROJ_QOOLOGIC.P Deletion successful
C:\WINDOWS\system32\datadx.dll TROJ_QOOLOGIC.P Deletion successful
C:\WINDOWS\system32\dmdon32.exe TROJ_APROPO.H Undeletable
C:\WINDOWS\system32\elitemuf32.exe TROJ_STARTPAG.QY Deletion successful
C:\WINDOWS\system32\elitewva32.exe TROJ_STARTPAG.QY Deletion successful
C:\WINDOWS\system32\installer_MARKETING30.exe TROJ_DLOADER.MG Deletion successful
C:\WINDOWS\system32\pbuub.dat TROJ_QOOLOGIC.N Deletion successful
C:\WINDOWS\system32\ps1.exe TROJ_DLOADER.OR Deletion successful




Trojan/Worm Check 0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer. Only 0 out of 0 Trojan horse programs and worms are displayed: - 0 worm(s)/Trojan(s) passed, 0 worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) undeletable
Trojan/Worm Name Trojan/Worm Type Action Taken




Spyware Check 1 spyware program removed

What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 51 spyware(s) on your computer. Only 0 out of 0 spywares are displayed: - 49 spyware(s) passed, 0 spyware(s) no action available
- 1 spyware(s) removed, 1 spyware(s) unremovable
Spyware Name Spyware Type Action Taken
COOKIE_45 Cookie Pass
COOKIE_153 Cookie Pass
COOKIE_169 Cookie Pass
COOKIE_174 Cookie Pass
COOKIE_193 Cookie Pass
COOKIE_222 Cookie Pass
COOKIE_442 Cookie Pass
COOKIE_611 Cookie Pass
COOKIE_650 Cookie Pass
COOKIE_701 Cookie Pass
COOKIE_722 Cookie Pass
COOKIE_741 Cookie Pass
COOKIE_861 Cookie Pass
COOKIE_936 Cookie Pass
COOKIE_1169 Cookie Pass
COOKIE_1314 Cookie Pass
COOKIE_1523 Cookie Pass
COOKIE_1738 Cookie Pass
COOKIE_1944 Cookie Pass
COOKIE_2060 Cookie Pass
COOKIE_2081 Cookie Pass
COOKIE_2136 Cookie Pass
COOKIE_2218 Cookie Pass
COOKIE_2238 Cookie Pass
COOKIE_2250 Cookie Pass
COOKIE_2275 Cookie Pass
COOKIE_2281 Cookie Pass
COOKIE_2314 Cookie Pass
COOKIE_2513 Cookie Pass
COOKIE_2631 Cookie Pass
COOKIE_2741 Cookie Pass
COOKIE_2817 Cookie Pass
COOKIE_2842 Cookie Pass
COOKIE_2921 Cookie Pass
COOKIE_3004 Cookie Pass
COOKIE_3009 Cookie Pass
COOKIE_3163 Cookie Pass
COOKIE_3187 Cookie Pass
COOKIE_3188 Cookie Pass
COOKIE_3190 Cookie Pass
COOKIE_3191 Cookie Pass
COOKIE_3193 Cookie Pass
COOKIE_3195 Cookie Pass
COOKIE_3196 Cookie Pass
COOKIE_3201 Cookie Pass
ADW_POPBAR.A Adware Removal successful (Please reboot your machine)
COOKIE_3206 Cookie Pass
COOKIE_6853 Cookie Pass
COOKIE_3235 Cookie Pass
COOKIE_3237 Cookie Pass
ADW_APROPOS.O Adware Unremovable




Microsoft Vulnerability Check 2 vulnerabilities detected

What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:
We have detected 2 vulnerability/vulnerabilities on your computer. Only 0 out of 0 vulnerabilities are displayed.
Risk Level Issue How to Fix
Important This remote code execution vulnerability could allow a malicious user or a malware to take complete control of the affected system if the affected user is currently logged on with administrative privileges. The malicious user or malware can execute code on the system giving them the ability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes.;The vulnerability is caused by an unchecked buffer in the Microsoft Office WordPerfect Converter. MS04-027
Critical This vulnerability lies in the way the affected components process JPEG image files. An unchecked buffer within this process is the cause of the vulnerability.;This remote code execution vulnerability could allow a malicious user or a malware to take complete control of the affected system if the affected user is currently logged on with administrative privileges. The malicious user or malware can execute arbitrary code on the system giving them the ability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes. MS04-028



HiJack this log:

Logfile of HijackThis v1.99.1
Scan saved at 4:36:19 PM, on 7/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\jannar.exe
C:\WINDOWS\system32\dmdon32.exe
C:\WINDOWS\system32\dmafdisk.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Aprps\CxtPls.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\userinit.exe
C:\HIJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com...DT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com...DT/0409/bl7.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 172.28.8.*;wtsawww3;bpm.wtsa.com;fescoweb
O1 - Hosts: 205.218.54.132 wtsawww2
O1 - Hosts: 172.28.8.18 GENSYS1
O1 - Hosts: 172.28.8.30 EDIDEV1
O1 - Hosts: 172.28.8.25 EDISERV1
O1 - Hosts: 172.28.8.27 TERMSERV4
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\jannar.exe reg_run
O4 - HKLM\..\Run: [sE5X3si] dmdon32.exe
O4 - HKCU\..\Run: [dpu7RiG8l] dmafdisk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: map.bat
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://my.uo.com/fonts/tdserver.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.wtsa.com/citrix/wficat.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1118159385453
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C738559-A106-4D07-A597-018428CA8289}: NameServer = 205.218.54.80,0.0.0.0
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)



HiJack this unistall log:

Ad-Aware SE Personal
Adobe Reader 7.0
Broadcom Management Programs
Citrix ICA Client
Citrix ICA Web Client
Google Earth
HijackThis 1.99.1
Intel® Extreme Graphics Driver
J2SE Runtime Environment 5.0 Update 2
Java 2 Runtime Environment, SE v1.4.2_03
LiveUpdate 1.7 (Symantec Corporation)
Microsoft Office Professional Edition 2003
Microsoft SQL Server 2000
Microsoft Visual Studio 6.0 Enterprise Edition
Microsoft Web Publishing Wizard 1.53
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB903235)
SoundMAX
Spybot - Search & Destroy 1.3
Symantec AntiVirus Client
Update for Windows XP (KB898461)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinVNC 3.3.3
WinZip




Thanks for the help. :tazz:
  • 0

#4
Kristy

Kristy

    Visiting Consultant

  • Member
  • PipPipPipPip
  • 1,099 posts
Hello Skidroc,

Please Download the following tools to assist us in removing this infection!
  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download Track qoo
    • Save it somewhere you will remember like the Desktop
Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

~Kristy :tazz:
  • 0

#5
Skidroc

Skidroc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
WinFind Results:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 7/25/2005 9:24:38 AM 15442435 C:\WINDOWS\lpt$vpn.745
qoologic 7/25/2005 9:24:38 AM 15442435 C:\WINDOWS\lpt$vpn.745
SAHAgent 7/25/2005 9:24:38 AM 15442435 C:\WINDOWS\lpt$vpn.745
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 7/25/2005 9:24:38 AM 15442435 C:\WINDOWS\VPTNFILE.745
qoologic 7/25/2005 9:24:38 AM 15442435 C:\WINDOWS\VPTNFILE.745
SAHAgent 7/25/2005 9:24:38 AM 15442435 C:\WINDOWS\VPTNFILE.745
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 3/30/2003 10:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
69.59.186.63 7/14/2005 9:00:40 AM 26624 C:\WINDOWS\SYSTEM32\djssjgl.dll
209.66.67.134 7/14/2005 9:00:40 AM 26624 C:\WINDOWS\SYSTEM32\djssjgl.dll
web-nex 7/14/2005 9:00:40 AM 26624 C:\WINDOWS\SYSTEM32\djssjgl.dll
winsync 7/14/2005 9:00:40 AM 26624 C:\WINDOWS\SYSTEM32\djssjgl.dll
69.59.186.63 7/14/2005 9:00:40 AM 9728 C:\WINDOWS\SYSTEM32\joaao.dll
209.66.67.134 7/14/2005 9:00:40 AM 9728 C:\WINDOWS\SYSTEM32\joaao.dll
web-nex 7/14/2005 9:00:40 AM 9728 C:\WINDOWS\SYSTEM32\joaao.dll
winsync 7/14/2005 9:00:40 AM 9728 C:\WINDOWS\SYSTEM32\joaao.dll
PECompact2 7/6/2005 10:21:30 PM 1366872 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 7/6/2005 10:21:30 PM 1366872 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 6/6/2005 3:22:40 PM 18432 C:\WINDOWS\SYSTEM32\supdate.dll
KavSvc 6/6/2005 3:22:40 PM 18432 C:\WINDOWS\SYSTEM32\supdate.dll
yourkey 6/6/2005 3:22:40 PM 18432 C:\WINDOWS\SYSTEM32\supdate.dll
UPX! 6/6/2005 3:40:20 PM 223232 C:\WINDOWS\SYSTEM32\uci.exe
winsync 3/30/2003 10:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Checking the Windows folder for system and hidden files within the last 60 days...
6/7/2005 11:53:52 AM 0 C:\WINDOWS\inf\oem27.inf
6/29/2005 8:50:40 AM 0 C:\WINDOWS\inf\oem28.inf
7/26/2005 8:32:30 AM 0 C:\WINDOWS\LastGood\INF\oem29.inf
7/26/2005 8:32:30 AM 0 C:\WINDOWS\LastGood\INF\oem29.PNF
6/7/2005 2:07:44 PM 305145 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_16.cab
6/7/2005 2:10:44 PM 68327 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_17.cab
7/26/2005 8:49:58 AM 8192 C:\WINDOWS\system32\config\default.LOG
7/26/2005 8:49:58 AM 8192 C:\WINDOWS\system32\config\SAM.LOG
7/26/2005 8:50:04 AM 12288 C:\WINDOWS\system32\config\SECURITY.LOG
7/26/2005 8:50:20 AM 135168 C:\WINDOWS\system32\config\software.LOG
7/26/2005 8:50:26 AM 798720 C:\WINDOWS\system32\config\system.LOG
7/13/2005 5:16:22 PM 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
7/26/2005 8:47:12 AM 6 C:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
6/9/2005 11:10:08 AM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
7/14/2005 9:00:40 AM 61952 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\npaa.exe

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
4/8/2005 10:22:28 AM 262 C:\Documents and Settings\JSkidmore\Start Menu\Programs\Startup\map.bat

Checking files in %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\iebar
iebar =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\SV1
SV1 =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ftyytnqg
{b32e210b-36ab-41f9-bc85-52199cfa114f} = C:\WINDOWS\system32\joaao.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IgfxTray C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
Smapp C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
DrvLsnr C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
srmclean C:\Cpqs\Scom\srmclean.exe
SetRefresh C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
WinVNC "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
vptray C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
winsync C:\WINDOWS\system32\jannar.exe reg_run
sE5X3si dmdon32.exe
AutoUpdater "C:\Program Files\AutoUpdate\AutoUpdate.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
dpu7RiG8l dmafdisk.exe
MSMSGS "C:\Program Files\Messenger\MSMSGS.EXE" /background

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}
= C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoSimpleStartMenu 1
ForceClassicControlPanel 1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
SetVisualStyle


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon
= C:\WINDOWS\System32\NavLogon.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.2.4 - Log file written to "WinPFind.Txt" in the WinPFind folder.







Track Qoo Results:


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_02\\bin\\jusched.exe"
"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMTray.exe"
"DrvLsnr"="C:\\Program Files\\Analog Devices\\SoundMAX\\DrvLsnr.exe"
"srmclean"="C:\\Cpqs\\Scom\\srmclean.exe"
"SetRefresh"="C:\\Program Files\\Compaq\\SetRefresh\\SetRefresh.exe"
"WinVNC"="\"C:\\Program Files\\ORL\\VNC\\WinVNC.exe\" -servicehelper"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"winsync"="C:\\WINDOWS\\system32\\jannar.exe reg_run"
"sE5X3si"="dmdon32.exe"
"AutoUpdater"="\"C:\\Program Files\\AutoUpdate\\AutoUpdate.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- ftyytnqg
{b32e210b-36ab-41f9-bc85-52199cfa114f}
C:\WINDOWS\system32\joaao.dll

Subkey --- LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C}
C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- WinZip
{E0D79304-84BE-11CE-9641-444553540000}
C:\PROGRA~1\WinZip\WZSHLSTB.DLL

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {F9DB5320-233E-11D1-9F84-707F02C10627}
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Adobe Reader Speed Launch.lnk
desktop.ini
npaa.exe
==============================
C:\Documents and Settings\JSkidmore\Start Menu\Programs\Startup

Adobe Reader Speed Launch.lnk
desktop.ini
npaa.exe
desktop.ini
map.bat
==============================
C:\WINDOWS\system32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
igfxcpl.cpl Intel Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation
  • 0

#6
Kristy

Kristy

    Visiting Consultant

  • Member
  • PipPipPipPip
  • 1,099 posts
Hello skidroc,

Download the Attached Reg File to your Desktop

Download Killbox

Copy&Paste these into Killbox

C:\WINDOWS\SYSTEM32\uci.exe
C:\WINDOWS\SYSTEM32\supdate.dll
C:\WINDOWS\SYSTEM32\joaao.dll
C:\WINDOWS\SYSTEM32\djssjgl.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\npaa.exe
C:\Documents and Settings\JSkidmore\Start Menu\Programs\Startup\map.bat
C:\Program Files\AutoUpdate


Select Delete on Reboot

Reboot into Safe Mode

Run those entries through KillBox again,this time make these selections

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"

Locate the Regfile and Double Click to Execute-> Allow it to merge into the registry!

Restart Normal and have the PC Scanned here:
Panda Active Scan

Attached File  ShewQoo.zip   369bytes   48 downloads
~Kristy :tazz:

Edited by Rustymilo, 27 July 2005 - 11:28 AM.

  • 0

#7
Skidroc

Skidroc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
Heres the Panda logfile:


Incident Status Location

Adware:Adware/Apropos No disinfected C:\!Submit\AutoUpdate.exe
Virus:Trj/Qoologic.G Disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\npaa.exe
Virus:Trj/Qoologic.G Disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temp\264.tmp
Adware:Adware/Apropos No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temp\AutoUpdate0\auto_update_install.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temp\AutoUpdate0\setup.inf
Adware:Adware/Apropos No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temp\AutoUpdate1\auto_update_uninstall.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temp\AutoUpdate1\setup.inf
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temp\iBC.tmp
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temp\pcs_0010.exe
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temp\ptf_0010.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temporary Internet Files\Content.IE5\0XYVKDIN\auto_update[1].txt
Adware:Adware/Apropos No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temporary Internet Files\Content.IE5\BBTV71WW\auto_update[1].txt
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temporary Internet Files\Content.IE5\J6VTIGOH\abiuninst[1].exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temporary Internet Files\Content.IE5\JVTNNP0W\AutoUpdaterInstaller[1].exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temporary Internet Files\Content.IE5\ORBR20L1\AM_1.0.226[1].exe
Adware:Adware/WinTools No disinfected C:\HIJackThis\backup-20050606-153757-384.dll
Adware:Adware/eZula No disinfected C:\HIJackThis\backup-20050606-155127-850.dll
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/Thecoolbar No disinfected C:\Program Files\FwBarTemp\cohelper.exe
Adware:Adware/Fizzle No disinfected C:\Program Files\FwBarTemp\searchbar.exe
Adware:Adware/WUpd No disinfected C:\Program Files\Media Access\MediaAccess.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\system\QBUninstaller.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\auto_update_uninstall.exe
Virus:Trj/Downloader.BYZ Disinfected C:\WINDOWS\system32\dist001.exe
Adware:Adware/ClkOptimizer No disinfected C:\WINDOWS\system32\djssjgl.dll
Virus:Trj/Qoologic.G Disinfected C:\WINDOWS\system32\jannar.exe
Adware:Adware/ClkOptimizer No disinfected C:\WINDOWS\system32\joaao.dll
Adware:Adware/BigTrafficNet No disinfected C:\WINDOWS\system32\nsjA6.dll
Adware:Adware/BigTrafficNet No disinfected C:\WINDOWS\system32\nsv41.dll
Virus:Trj/Qoologic.G Disinfected C:\WINDOWS\system32\pbuub.dat
Virus:Trj/Downloader.BJG Disinfected C:\WINDOWS\system32\SSK3_B5 Seedcorn 4.exe
  • 0

#8
Kristy

Kristy

    Visiting Consultant

  • Member
  • PipPipPipPip
  • 1,099 posts
Hello Skidroc,

Copy&Paste these into Killbox

C:\WINDOWS\SYSTEM32\uci.exe
C:\WINDOWS\SYSTEM32\supdate.dll
C:\WINDOWS\SYSTEM32\joaao.dll
C:\WINDOWS\SYSTEM32\djssjgl.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\npaa.exe
C:\Documents and Settings\JSkidmore\Start Menu\Programs\Startup\map.bat
C:\Program Files\AutoUpdate


Select Delete on Reboot

Reboot into Safe Mode

Run those entries through KillBox again,this time make these selections

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"

Locate the Regfile you downloaded last time and Double Click to Execute-> Allow it to merge into the registry!

Restart, and post back with a fresh log.

~Kristy :tazz:
  • 0

#9
Skidroc

Skidroc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
Hi,
I tried to put those files into KillBox but only the following 2 existed for me to delete:

C:\WINDOWS\SYSTEM32\joaao.dll
C:\WINDOWS\SYSTEM32\djssjgl.dll


The others were not located.

Also, the map.bat is a bat file I created that just maps 3 drives across a network. So I didn't add it.

Anyways, I followed your directions and here is the new panda log that it created:


Incident Status Location

Adware:Adware/Apropos No disinfected C:\!Submit\AutoUpdate.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temp\AutoUpdate0\auto_update_install.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temp\AutoUpdate0\setup.inf
Adware:Adware/Apropos No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temp\AutoUpdate1\auto_update_uninstall.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temp\AutoUpdate1\setup.inf
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temp\iBC.tmp
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temp\pcs_0010.exe
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temp\ptf_0010.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temporary Internet Files\Content.IE5\0XYVKDIN\auto_update[1].txt
Adware:Adware/Apropos No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temporary Internet Files\Content.IE5\BBTV71WW\auto_update[1].txt
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temporary Internet Files\Content.IE5\J6VTIGOH\abiuninst[1].exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temporary Internet Files\Content.IE5\JVTNNP0W\AutoUpdaterInstaller[1].exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temporary Internet Files\Content.IE5\ORBR20L1\AM_1.0.226[1].exe
Adware:Adware/WinTools No disinfected C:\HIJackThis\backup-20050606-153757-384.dll
Adware:Adware/eZula No disinfected C:\HIJackThis\backup-20050606-155127-850.dll
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/Thecoolbar No disinfected C:\Program Files\FwBarTemp\cohelper.exe
Adware:Adware/Fizzle No disinfected C:\Program Files\FwBarTemp\searchbar.exe
Adware:Adware/WUpd No disinfected C:\Program Files\Media Access\MediaAccess.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\system\QBUninstaller.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\auto_update_uninstall.exe
Adware:Adware/BigTrafficNet No disinfected C:\WINDOWS\system32\nsjA6.dll
Adware:Adware/BigTrafficNet No disinfected C:\WINDOWS\system32\nsv41.dll
Thanks for the help. :tazz:
  • 0

#10
Kristy

Kristy

    Visiting Consultant

  • Member
  • PipPipPipPip
  • 1,099 posts
Please post a fresh HijackThis log as well.

~Kristy
  • 0

Advertisements


#11
Skidroc

Skidroc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
Logfile of HijackThis v1.99.1
Scan saved at 4:16:57 PM, on 7/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\dsssockx.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Aprps\CxtPls.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HIJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com...DT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com...DT/0409/bl7.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 172.28.8.*;wtsawww3;bpm.wtsa.com;fescoweb
O1 - Hosts: 205.218.54.132 wtsawww2
O1 - Hosts: 172.28.8.18 GENSYS1
O1 - Hosts: 172.28.8.30 EDIDEV1
O1 - Hosts: 172.28.8.25 EDISERV1
O1 - Hosts: 172.28.8.27 TERMSERV4
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [dpu7RiG8l] dsssockx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: map.bat
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://my.uo.com/fonts/tdserver.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.wtsa.com/citrix/wficat.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1118159385453
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C738559-A106-4D07-A597-018428CA8289}: NameServer = 205.218.54.80,0.0.0.0
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)
  • 0

#12
Kristy

Kristy

    Visiting Consultant

  • Member
  • PipPipPipPip
  • 1,099 posts
Hello Skidroc,

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Next please run HijackThis, click Scan, and check:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 172.28.8.*;wtsawww3;bpm.wtsa.com;fescoweb(Only place a check by this, and the other entries in green if you do not know what it is)
O1 - Hosts: 205.218.54.132 wtsawww2
O1 - Hosts: 172.28.8.18 GENSYS1
O1 - Hosts: 172.28.8.30 EDIDEV1
O1 - Hosts: 172.28.8.25 EDISERV1
O1 - Hosts: 172.28.8.27 TERMSERV4

O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O4 - HKCU\..\Run: [dpu7RiG8l] dsssockx.exe
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C738559-A106-4D07-A597-018428CA8289}: NameServer = 205.218.54.80,0.0.0.0


Close all open windows except for HijackThis and click Fix Checked.

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).

Go to Start > Control Panel > Add/Remove Programs and remove the following(if found):

Aprps or Apropos

Exit Add/Remove Programs.

Be sure you're able to view hidden files, and remove the following files/folders in bold (if found):

C:\Program Files\Aprps

Empty your recycle bin, and reboot normally.

Please rescan with Panda.

If you would please, rescan with HijackThis and post a fresh log in this same topic, along with the Panda log, and let us know how your system's working. ;)

~Kristy :tazz:
  • 0

#13
Skidroc

Skidroc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
The lines in green are work related, so they seem to be ok. I noticed I have WAY less pop ups, but I still have a few. Just no where near as many.

Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 3:58:23 PM, on 7/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HIJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com...DT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com...DT/0409/bl7.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 172.28.8.*;wtsawww3;bpm.wtsa.com;fescoweb
O1 - Hosts: 205.218.54.132 wtsawww2
O1 - Hosts: 172.28.8.18 GENSYS1
O1 - Hosts: 172.28.8.30 EDIDEV1
O1 - Hosts: 172.28.8.25 EDISERV1
O1 - Hosts: 172.28.8.27 TERMSERV4
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: map.bat
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://my.uo.com/fonts/tdserver.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.wtsa.com/citrix/wficat.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1118159385453
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C738559-A106-4D07-A597-018428CA8289}: NameServer = 205.218.54.80,0.0.0.0
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)





Panda log:


Incident Status Location

Adware:Adware/Apropos No disinfected C:\!Submit\AutoUpdate.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temp\AutoUpdate0\auto_update_install.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temp\AutoUpdate0\setup.inf
Adware:Adware/Apropos No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temp\AutoUpdate1\auto_update_uninstall.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temp\AutoUpdate1\setup.inf
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temp\iBC.tmp
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temp\pcs_0010.exe
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temp\ptf_0010.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temporary Internet Files\Content.IE5\0XYVKDIN\auto_update[1].txt
Adware:Adware/Apropos No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temporary Internet Files\Content.IE5\BBTV71WW\auto_update[1].txt
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temporary Internet Files\Content.IE5\J6VTIGOH\abiuninst[1].exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temporary Internet Files\Content.IE5\JVTNNP0W\AutoUpdaterInstaller[1].exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\JSkidmore\Local Settings\Temporary Internet Files\Content.IE5\ORBR20L1\AM_1.0.226[1].exe
Adware:Adware/WinTools No disinfected C:\HIJackThis\backup-20050606-153757-384.dll
Adware:Adware/eZula No disinfected C:\HIJackThis\backup-20050606-155127-850.dll
Adware:Adware/Thecoolbar No disinfected C:\Program Files\FwBarTemp\cohelper.exe
Adware:Adware/Fizzle No disinfected C:\Program Files\FwBarTemp\searchbar.exe
Adware:Adware/WUpd No disinfected C:\Program Files\Media Access\MediaAccess.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\system\QBUninstaller.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\auto_update_uninstall.exe
Adware:Adware/BigTrafficNet No disinfected C:\WINDOWS\system32\nsjA6.dll
Adware:Adware/BigTrafficNet No disinfected C:\WINDOWS\system32\nsv41.dll
Thanks :tazz:
  • 0

#14
Kristy

Kristy

    Visiting Consultant

  • Member
  • PipPipPipPip
  • 1,099 posts
Hello skidroc,

First, download and install CleanUp! but do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop.

Reboot into safemode.

Now run CleanUp!

Go to Start > Control Panel > Add/Remove programs, and remove the following if found:

FwBarTemp
Media Access


Exit Add/Remove Programs.

Now double-click on the killbox folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\!Submit\AutoUpdate.exe
C:\HIJackThis\backup-20050606-153757-384.dll
C:\HIJackThis\backup-20050606-155127-850.dll
C:\Program Files\FwBarTemp\cohelper.exe
C:\Program Files\FwBarTemp\searchbar.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\system\QBUninstaller.exe
C:\WINDOWS\system32\auto_update_uninstall.exe
C:\WINDOWS\system32\nsjA6.dll
C:\WINDOWS\system32\nsv41.dll


*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt if you get one.
*If the computer does not reboot by itself, do it manually.

Rescan with Panda and HijackThis, and post the new logs in your next reply.

~Kristy :tazz:
  • 0

#15
Skidroc

Skidroc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
Hi,
Heres the Panda report:

Incident Status Location

Virus:Trj/Qoologic.H Disinfected C:\WINDOWS\system32\braarno.exe
Heres the hijack this report:

Logfile of HijackThis v1.99.1
Scan saved at 11:49:46 AM, on 8/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HIJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com...DT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com...DT/0409/bl7.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 172.28.8.*;wtsawww3;bpm.wtsa.com;fescoweb
O1 - Hosts: 205.218.54.132 wtsawww2
O1 - Hosts: 172.28.8.18 GENSYS1
O1 - Hosts: 172.28.8.30 EDIDEV1
O1 - Hosts: 172.28.8.25 EDISERV1
O1 - Hosts: 172.28.8.27 TERMSERV4
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: map.bat
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://my.uo.com/fonts/tdserver.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.wtsa.com/citrix/wficat.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1118159385453
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C738559-A106-4D07-A597-018428CA8289}: NameServer = 205.218.54.80,0.0.0.0
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)


I hardly see any pop-ups now. ;)

If you see anything else that needs to be done let me know. If not, thanks for your help. :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP