Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Please help with Aurora removal [CLOSED]


  • This topic is locked This topic is locked

#16
csinclair21

csinclair21

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here are the Panda results:

Incident Status Location

Spyware:spyware/whazit No disinfected C:\WINDOWS\SYSTEM32\fiz1
Spyware:spyware/betterinet No disinfected HKEY_CURRENT_USER\SOFTWARE\IN3RD
Adware:adware/wintools No disinfected HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_TBPSSVC
Adware:adware/topmoxie No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{6685509E-B47B-4f47-8E16-9A5F3A62F683}
Adware:Adware/TheLocalSearch No disinfected C:\WINDOWS\Downloaded Program Files\sdmtb.cab[sdmtb.dll]


And here is the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:36:40 AM, on 8/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\SYSTEM32\tbctray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\Tman.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Documents and Settings\Katy\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VisualElementFXad] C:\WINDOWS\VisualElementFXad\VisualElementFXad.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Kerberos Authentication.lnk = C:\WINDOWS\Tman.exe
O4 - Global Startup: DellTouch Programmable Keys.lnk = C:\Program Files\Netropa\Multimedia Keyboard\MMKbCfg7.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Dell Home - {DE9F7D9E-71AE-44E3-8DE5-D741FBFD7B86} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: DigiChat Applet - http://host8.digicha...s/Client_IE.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et0_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt0_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {19597B66-2CCF-11D4-B6C9-00C0F04E6DA8} (MPEG4 Image Control Object) - http://www.e-vue.com...ds/mpeg4img.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...96/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094263816921
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn....id/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.msn....ior/Outside.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.nor...c/bin/cabsa.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...409/mcfscan.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
  • 0

Advertisements


#17
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Reboot in SAFE MODE. (How to boot in Safe Mode...)

Open up NOTEPAD, then copy & paste the follwing codes (starting from Windows Registry Editor Version 5.00). Save it on desktop as fixme.reg. Choose file types as ALL FILES.

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\SOFTWARE\IN3RD]
[-HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_TBPSSVC]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{6685509E-B47B-4f47-8E16-9A5F3A62F683}]
Now double-click fixme.reg then allow it to merge to the system.

Be sure to View Hidden and System Files.

Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold):
  • C:\WINDOWS\SYSTEM32\fiz1
  • C:\WINDOWS\Downloaded Program Files\sdmtb.cab[sdmtb.dll]
Finally, Empty Recycle Bin


Open Ad-aware and do a full scan. Remove all it finds.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked! Post again another log to look at.

Edited by kool808, 01 August 2005 - 05:34 AM.

  • 0

#18
csinclair21

csinclair21

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here is the latest Panda log:


Incident Status Location

Spyware:spyware/whazit No disinfected C:\WINDOWS\SYSTEM32\fiz1
Adware:adware/wintools No disinfected HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_TBPSSVC
Adware:adware/topmoxie No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{6685509E-B47B-4f47-8E16-9A5F3A62F683}
Adware:Adware/TheLocalSearch No disinfected C:\WINDOWS\Downloaded Program Files\sdmtb.cab[sdmtb.dll]
  • 0

#19
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Please download WebRoot SpySweeper from [ HERE ] (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directoy as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Ran panda scan again to see the difference.
  • 0

#20
csinclair21

csinclair21

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here are the Spy Sweeper results:

********
9:03 PM: |··· Start of Session, Tuesday, August 02, 2005 ···|
9:03 PM: Spy Sweeper started
9:03 PM: Sweep initiated using definitions version 510
9:03 PM: Starting Memory Sweep
9:07 PM: Memory Sweep Complete, Elapsed Time: 00:04:08
9:07 PM: Starting Registry Sweep
9:07 PM: Found Adware: ebates money maker
9:07 PM: HKU\S-1-5-21-1078081533-764733703-854245398-1003\software\microsoft\internet explorer\extensions\cmdmapping\ || {6685509e-b47b-4f47-8e16-9a5f3a62f683} (ID = 125587)
9:07 PM: Found Adware: flashtrack
9:07 PM: HKCR\interface\{28168cce-5310-4f12-ab58-9da99a55aaeb}\ (8 subtraces) (ID = 126531)
9:07 PM: HKLM\software\classes\interface\{28168cce-5310-4f12-ab58-9da99a55aaeb}\ (8 subtraces) (ID = 126537)
9:07 PM: HKLM\software\classes\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\ (9 subtraces) (ID = 126538)
9:07 PM: HKLM\software\fen\ (7 subtraces) (ID = 126539)
9:07 PM: HKLM\software\flen\ (1 subtraces) (ID = 126540)
9:07 PM: HKCR\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\ (9 subtraces) (ID = 126562)
9:07 PM: Found Adware: hotbar
9:07 PM: HKU\S-1-5-20\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585)
9:07 PM: HKU\S-1-5-19\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585)
9:07 PM: HKU\S-1-5-18\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585)
9:07 PM: HKU\S-1-5-20\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587)
9:07 PM: HKU\S-1-5-19\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587)
9:07 PM: HKU\S-1-5-18\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587)
9:07 PM: Found Adware: drsnsrch.com hijack
9:07 PM: HKU\S-1-5-21-1078081533-764733703-854245398-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
9:07 PM: Found Adware: xoff
9:07 PM: HKCR\appid\x2ff.dll\ (1 subtraces) (ID = 147661)
9:07 PM: HKCR\appid\{3dec0d48-84da-483e-afd5-40619c00d465}\ (1 subtraces) (ID = 147662)
9:07 PM: HKCR\appid\{9b3c2a48-df6a-4364-9961-1c80f0ba83b3}\ (1 subtraces) (ID = 147663)
9:07 PM: HKCR\appid\{d1bb73a7-5d35-48c9-94c0-d0bd624b0f5d}\ (1 subtraces) (ID = 147664)
9:07 PM: HKCR\interface\{b0c5e55e-53df-4966-90a0-912d34cb64a7}\ (8 subtraces) (ID = 147668)
9:07 PM: HKCR\interface\{d9e03192-5849-4ae2-b76a-204820e6860c}\ (8 subtraces) (ID = 147669)
9:07 PM: HKCR\interface\{f9a74e8c-c877-46fd-8487-782b5868296e}\ (8 subtraces) (ID = 147670)
9:07 PM: HKLM\software\classes\appid\x2ff.dll\ (1 subtraces) (ID = 147671)
9:07 PM: HKLM\software\classes\appid\{3dec0d48-84da-483e-afd5-40619c00d465}\ (1 subtraces) (ID = 147672)
9:07 PM: HKLM\software\classes\appid\{9b3c2a48-df6a-4364-9961-1c80f0ba83b3}\ (1 subtraces) (ID = 147673)
9:07 PM: HKLM\software\classes\appid\{d1bb73a7-5d35-48c9-94c0-d0bd624b0f5d}\ (1 subtraces) (ID = 147674)
9:07 PM: HKLM\software\classes\interface\{b0c5e55e-53df-4966-90a0-912d34cb64a7}\ (8 subtraces) (ID = 147678)
9:07 PM: HKLM\software\classes\interface\{d9e03192-5849-4ae2-b76a-204820e6860c}\ (8 subtraces) (ID = 147679)
9:07 PM: HKLM\software\classes\interface\{f9a74e8c-c877-46fd-8487-782b5868296e}\ (8 subtraces) (ID = 147680)
9:07 PM: HKLM\software\classes\typelib\{1d1a0231-322a-4024-a282-697bf547970e}\ (9 subtraces) (ID = 147681)
9:07 PM: HKLM\software\classes\typelib\{a981f8f6-4505-4670-8d38-96a3e894d5be}\ (9 subtraces) (ID = 147682)
9:07 PM: HKLM\software\classes\typelib\{ef38c329-15f7-4a32-85b1-1d5770ff5f48}\ (9 subtraces) (ID = 147683)
9:07 PM: HKLM\software\classes\x1ff.xbrowse\ (5 subtraces) (ID = 147685)
9:07 PM: HKCR\typelib\{1d1a0231-322a-4024-a282-697bf547970e}\ (9 subtraces) (ID = 147693)
9:07 PM: HKCR\typelib\{a981f8f6-4505-4670-8d38-96a3e894d5be}\ (9 subtraces) (ID = 147694)
9:07 PM: HKCR\typelib\{ef38c329-15f7-4a32-85b1-1d5770ff5f48}\ (9 subtraces) (ID = 147695)
9:07 PM: HKCR\x1ff.xbrowse\ (5 subtraces) (ID = 147697)
9:07 PM: Found Adware: bonzi buddy
9:07 PM: HKCR\clsid\{86e5d750-02eb-11d3-a464-0080c858f182}\inprocserver32\ (2 subtraces) (ID = 169266)
9:07 PM: HKCR\clsid\{86e5d750-02eb-11d3-a464-0080c858f182}\miscstatus\1\ (1 subtraces) (ID = 169267)
9:07 PM: HKCR\clsid\{86e5d750-02eb-11d3-a464-0080c858f182}\progid\ (1 subtraces) (ID = 169268)
9:07 PM: HKCR\clsid\{86e5d750-02eb-11d3-a464-0080c858f182}\programmable\ (ID = 169269)
9:07 PM: HKCR\clsid\{86e5d750-02eb-11d3-a464-0080c858f182}\toolboxbitmap32\ (1 subtraces) (ID = 169270)
9:07 PM: HKCR\clsid\{86e5d750-02eb-11d3-a464-0080c858f182}\version\ (1 subtraces) (ID = 169271)
9:07 PM: HKCR\clsid\{aaa403c6-03b3-11d3-a465-0080c858f182}\ (5 subtraces) (ID = 169272)
9:07 PM: HKCR\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\ (9 subtraces) (ID = 449649)
9:07 PM: HKCR\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\1.0\ (8 subtraces) (ID = 449650)
9:07 PM: HKCR\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\1.0\0\ (2 subtraces) (ID = 449652)
9:07 PM: HKCR\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\1.0\0\win32\ (1 subtraces) (ID = 449653)
9:07 PM: HKCR\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\1.0\flags\ (1 subtraces) (ID = 449655)
9:07 PM: HKCR\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\1.0\helpdir\ (1 subtraces) (ID = 449657)
9:07 PM: HKLM\software\classes\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\ (9 subtraces) (ID = 465256)
9:07 PM: HKLM\software\classes\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\1.0\ (8 subtraces) (ID = 465257)
9:07 PM: HKLM\software\classes\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\1.0\0\ (2 subtraces) (ID = 465259)
9:07 PM: HKLM\software\classes\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\1.0\0\win32\ (1 subtraces) (ID = 465260)
9:07 PM: HKLM\software\classes\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\1.0\flags\ (1 subtraces) (ID = 465262)
9:07 PM: HKLM\software\classes\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\1.0\helpdir\ (1 subtraces) (ID = 465264)
9:07 PM: Registry Sweep Complete, Elapsed Time:00:00:31
9:07 PM: Starting Cookie Sweep
9:07 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
9:07 PM: Starting File Sweep
9:07 PM: Warning: Failed to open file "c:\pagefile.sys". Access is denied
9:07 PM: Warning: Failed to open file "c:\hiberfil.sys". Access is denied
9:08 PM: Found Adware: comet cursor
9:08 PM: c:\windows\system\comet (71 subtraces) (ID = -2147481225)
9:11 PM: Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process
9:11 PM: Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process
9:11 PM: Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process
9:11 PM: Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process
9:11 PM: Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process
9:11 PM: Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process
9:11 PM: Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process
9:11 PM: Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process
9:11 PM: Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process
9:11 PM: Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process
9:14 PM: cscore.dll (ID = 53519)
9:14 PM: csip.dll (ID = 53536)
9:14 PM: skinui.dll (ID = 53643)
9:14 PM: comet.exe (ID = 53483)
9:14 PM: Found Adware: begin2search
9:14 PM: greenmovie.ico (ID = 51033)
9:14 PM: Found Trojan Horse: trojan backdoor ppdoor
9:14 PM: ljyszpza.dll (ID = 79780)
9:18 PM: flenclean.exe (ID = 61079)
9:21 PM: c:\program files\flen (3 subtraces) (ID = -2147480975)
9:21 PM: flenclean.exe (ID = 61079)
9:24 PM: flencpy_inst.exe (ID = 61081)
9:28 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
9:28 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
9:28 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
9:28 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
9:28 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process
9:28 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
9:28 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
9:28 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
9:28 PM: Warning: Failed to open file "c:\documents and settings\katy\ntuser.dat". The process cannot access the file because it is being used by another process
9:28 PM: Warning: Failed to open file "c:\documents and settings\katy\ntuser.dat.log". The process cannot access the file because it is being used by another process
9:28 PM: Warning: Failed to open file "c:\documents and settings\katy\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
9:28 PM: Warning: Failed to open file "c:\documents and settings\katy\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
9:29 PM: Warning: Failed to open file "c:\documents and settings\katy\application data\mozilla\firefox\profiles\9x27hq7a.default\parent.lock". The process cannot access the file because it is being used by another process
9:29 PM: File Sweep Complete, Elapsed Time: 00:21:54
9:29 PM: Full Sweep has completed. Elapsed time 00:26:40
9:29 PM: Traces Found: 357
10:26 PM: Removal process initiated
10:27 PM: Quarantining All Traces: ebates money maker
10:27 PM: Quarantining All Traces: flashtrack
10:27 PM: Quarantining All Traces: hotbar
10:27 PM: Quarantining All Traces: drsnsrch.com hijack
10:27 PM: Quarantining All Traces: xoff
10:27 PM: Quarantining All Traces: bonzi buddy
10:27 PM: Quarantining All Traces: comet cursor
10:27 PM: Quarantining All Traces: begin2search
10:27 PM: Quarantining All Traces: trojan backdoor ppdoor
10:27 PM: Removal process completed. Elapsed time 00:00:40
********
9:02 PM: |··· Start of Session, Tuesday, August 02, 2005 ···|
9:02 PM: Spy Sweeper started
9:03 PM: |··· End of Session, Tuesday, August 02, 2005 ···|


And here is the latest Panda log:


Incident Status Location

Spyware:spyware/whazit No disinfected C:\WINDOWS\SYSTEM32\fiz1
Adware:adware/wintools No disinfected Windows Registry
Adware:Adware/TheLocalSearch No disinfected C:\WINDOWS\Downloaded Program Files\sdmtb.cab[sdmtb.dll]
  • 0

#21
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Search for the jobs:

Open notepad and copy and paste next in it:

dir %Windir%\tasks /a h > files.txt
notepad files.txt

Save this as findjobs.bat , choose to save it as *all files and place it on your desktop.

Doubleclick on findjobs.bat and post the content of the txtfile you get in your next reply.
(NOTE: You can delete this file afterwards.)

Post a new HijackThis log
  • 0

#22
csinclair21

csinclair21

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here are the results from findjob.bat:

Volume in drive C has no label.
Volume Serial Number is 07D1-031B

Directory of C:\WINDOWS\tasks

03/27/2001 06:40 PM <DIR> .
03/27/2001 06:40 PM <DIR> ..
09/01/2002 06:05 PM 65 DESKTOP.INI
08/02/2005 06:26 PM 6 SA.DAT
08/03/2005 11:00 PM 502 Tune-up Application Start.job
08/04/2005 10:36 PM 354 PCHealth Scheduler for Data Collection.job
08/04/2005 10:40 PM 410 Symantec NetDetect.job
5 File(s) 1,337 bytes

Directory of C:\Documents and Settings\Katy\Desktop


And here's the latest HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:45:14 PM, on 8/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\tbctray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\Tman.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Katy\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VisualElementFXad] C:\WINDOWS\VisualElementFXad\VisualElementFXad.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Kerberos Authentication.lnk = C:\WINDOWS\Tman.exe
O4 - Global Startup: DellTouch Programmable Keys.lnk = C:\Program Files\Netropa\Multimedia Keyboard\MMKbCfg7.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Dell Home - {DE9F7D9E-71AE-44E3-8DE5-D741FBFD7B86} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: DigiChat Applet - http://host8.digicha...s/Client_IE.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et0_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt0_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {19597B66-2CCF-11D4-B6C9-00C0F04E6DA8} (MPEG4 Image Control Object) - http://www.e-vue.com...ds/mpeg4img.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...96/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094263816921
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn....id/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.msn....ior/Outside.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.nor...c/bin/cabsa.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...409/mcfscan.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


Thanks!
  • 0

#23
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
alright your logs looks clean now. Just a few more steps then we are done.

Reboot in Safe Mode.

Be sure to View Hidden and System Files.

Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold):
  • C:\WINDOWS\SYSTEM32\fiz1 <-- whole folder
  • C:\WINDOWS\Downloaded Program Files\sdmtb.cab[sdmtb.dll] <-- or anything similar to it, when in doubt of the file please do NOT delete.
Finally, Empty Recycle Bin

Reboot back to NORMAL MODE.

Have an online scan with panda again then post the results.

How is your system running now? :tazz:
  • 0

#24
csinclair21

csinclair21

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Sorry I haven't replied in a few days, I've been on vacation. Now that I'm back, there is a really big problem. When I left for vacation, the last time I used my computer it was running great (internet included). When I returned and turned my computer on (it had been off the entire time), however, the internet does not work at all. When I open Firefox, it brings up a page that looks like a Comcast page, and it tells me to disable all firewalls, pop-up blockers, and anti-virus software. It then asks me to download and install a file at the bottom of the page. I'm sure that this is not an actual Comcast page, but it will not allow me to go anywhere on the web (I have to enter this reply from another computer). A warning box pops up in Firefox that says that the certificate does not match the domain name (which the warning box says is actsvr.comcastonline.com, even though it still shows www.msnbc.com in the browser). What can I do to fix this?

Thanks!

Edited by csinclair21, 11 August 2005 - 05:04 AM.

  • 0

#25
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Great how was the vacation, did you have fun! Where did you hang out? Hope you enjoyed :tazz:

Block all outside/inside attempts using your firewall.

Have another hijackthis log, post it here again.
  • 0

Advertisements


#26
csinclair21

csinclair21

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Vacation was great, I went up to Northern Michigan for a few days, and the weather was perfect.

Now to the serious stuff. How can I block all outside/inside attempts with Windows Firewall? That's the firewall that I've been using, and I don't see an option for that. I won't be able to post a HijackThis log until I am able to get onto the Internet on my computer. Any suggestions would be great. Thanks.
  • 0

#27
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
This tool will bring your internet connection back.

If you're having trouble connecting to the Internet try running the WinSockFix utility to repair your connection:

Download this from another computer then transfer it to your PC then run WinSockXPFix.



++++++++++++++++
Once you gain your connections, a possible connection attempt may occur. Your firewall by default is active and will block any bad attempts. This will display a pop-up message stating that an attempt tries to access a connection, now just press BLOCK to any malicious attempts. :tazz: If it is legitimate then just allow it.
  • 0

#28
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP