Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

[INACTIVE] OIN, Aurora, and WinFixer

Started by palagibaboy , Jul 25 2005 01:00 PM

  • This topic is locked This topic is locked

#1
palagibaboy
Posted 25 July 2005 - 01:00 PM

palagibaboy

    Member

  • Member
  • PipPip
  • 20 posts
It seems I somehow got infected with OIN and the corresponding group of malware/spyware that comes with it (Ad Killer, Aurora, WinFixer). I've gone through the gamut of spyware cleanups (CleanThis, AdAware, CWShredder, Spybot S&D); I did a Trend Housecall and have installed AVG on my computer; and I've also got copies of Microsoft's Beta AntiSpyware, Spyware Doctor, and Spyware Blaster available on my system (though I'd like some info on whether I should uninstall some of them or not to avoid any unintended conflicts).

I've switched to using Firefox, as well, but I still get the occasional Aurora ad, and WinFixer keeps trying to force an install on my system (I have a dialogue box up right now that reads

"Notice: If your computer has errors in the registry database or file system, it could cause unpredictable or errtic behavior, freezes and crashes. Fixing these errors can increase your computer's performance and prevent data loss.

Would you like to install WinFixer 2005 to check your computer for free? (Recommended)"

The last time I tried to just close the window, it installed itself anyways. So I plan to just shut-down the computer eventually without touching that dialogue box to avoid any forced installs.

So.. there you have it. I've read a few of the other threads on OIN, so I'm expecting I'm going to have to do some more involved clean ups. Any help that can be offered is greatly appreciated. Here's my current hijack this logfile..


Logfile of HijackThis v1.99.1
Scan saved at 11:53:49 AM, on 7/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\amda\uacn.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\WINDOWS\sodznfpntu.exe
C:\Documents and Settings\Riverstone\Desktop\michael\virus\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [hftysp] c:\windows\system32\pomcovm.exe r
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\onpopo.exe reg_run
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O15 - Trusted Zone: *.comcast.com
O15 - Trusted Zone: *.comcast.net
O15 - Trusted Zone: *.eventvibe.com
O15 - Trusted Zone: *.ford.com
O15 - Trusted Zone: *.imbc.com
O15 - Trusted Zone: http://*.sbs.co.kr
O16 - DPF: {00B44666-FFBD-4ADA-8169-CEA9A8B6B479} - http://filebox.empas...asMp3Player.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://chbib.chb.co....CSK_4.0.3.5.cab
O16 - DPF: {474AD63A-9B7E-40FE-8E4E-7067CC0F8D3D} (IB_OnAir.IBOnAir) - http://ionair.sbs.co...ir/IB_OnAir.CAB
O16 - DPF: {5C899971-E9D6-4496-8077-98378408E340} (MPControl Control) - http://mplay.sbs.co....SiMPControl.cab
O16 - DPF: {60F039CE-9490-4361-A769-5419FD166359} (egnInstallXCtrl2 Control) - http://empasweb.neff...stallXCtrl2.cab
O16 - DPF: {69E45937-0CB5-4FF9-8BB4-32B002FAD22D} - http://www.sazoounse.com/sazoounse.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} - http://download.soft.../xw_install.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B8592EE3-3790-41B6-A7C6-C722FCFFFD14} (EmpasWinXPSP2 Class) - http://empasweb.neff...empashelper.cab
O16 - DPF: {B9DD5FFF-776D-4E53-93D3-A4463E63AD86} (CN°OAOA¢¼OCA·I±×·¥) - http://cdn.hangame.c...g/HanWebMsg.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://cdn.hangame.c...anSetup1008.cab
O16 - DPF: {E9702169-AFE2-477A-A79D-32151006E547} (IBSiteSigning.SiteSigning) - http://www.sbs.co.kr...SiteSigning.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jedimack.net
O17 - HKLM\Software\..\Telephony: DomainName = jedimack.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{53674CB8-EDE3-4229-ABBF-68C4B4B7EF1F}: Domain = jedimack.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jedimack.net
O20 - Winlogon Notify: MSSYCLM - C:\WINDOWS\system32\uorvoica.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Edited by Bugbatter, 23 August 2005 - 09:42 PM.

  • 0

Advertisements

#2
palagibaboy
Posted 26 July 2005 - 01:34 PM

palagibaboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Ok.. I left my computer untouched since yesterday, but, without even opening a single window, the WinFixer "warning" dialogue box popped up 5 more times on my desktop. I tried to force closure on them, but, again, WinFixer installed itself on my hard-drive and has attempted to "scan" my drives. I've re-run many of the earlier programs (except "CleanThis") but none of them have managed to remove traces of it as before.

Finally, I tried to remove it through the "add/remove" program file, but know that dialogue box is frozen. Again, I'm wary of shutting down at this time.

So, here's an updated Hijackthis log report. I'm not trying to bump this thread.. just trying to update my status. Thanks in advance for the help.


Logfile of HijackThis v1.99.1
Scan saved at 12:26:34 PM, on 7/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\WinFixer 2005\WFX5.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\amda\uacn.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Riverstone\Desktop\michael\virus\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [hftysp] c:\windows\system32\pomcovm.exe r
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\onpopo.exe reg_run
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O15 - Trusted Zone: *.comcast.com
O15 - Trusted Zone: *.comcast.net
O15 - Trusted Zone: *.eventvibe.com
O15 - Trusted Zone: *.ford.com
O15 - Trusted Zone: *.imbc.com
O15 - Trusted Zone: http://*.sbs.co.kr
O16 - DPF: {00B44666-FFBD-4ADA-8169-CEA9A8B6B479} - http://filebox.empas...asMp3Player.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://chbib.chb.co....CSK_4.0.3.5.cab
O16 - DPF: {474AD63A-9B7E-40FE-8E4E-7067CC0F8D3D} (IB_OnAir.IBOnAir) - http://ionair.sbs.co...ir/IB_OnAir.CAB
O16 - DPF: {5C899971-E9D6-4496-8077-98378408E340} (MPControl Control) - http://mplay.sbs.co....SiMPControl.cab
O16 - DPF: {60F039CE-9490-4361-A769-5419FD166359} (egnInstallXCtrl2 Control) - http://empasweb.neff...stallXCtrl2.cab
O16 - DPF: {69E45937-0CB5-4FF9-8BB4-32B002FAD22D} - http://www.sazoounse.com/sazoounse.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} - http://download.soft.../xw_install.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B8592EE3-3790-41B6-A7C6-C722FCFFFD14} (EmpasWinXPSP2 Class) - http://empasweb.neff...empashelper.cab
O16 - DPF: {B9DD5FFF-776D-4E53-93D3-A4463E63AD86} (CN°OAOA¢¼OCA·I±×·¥) - http://cdn.hangame.c...g/HanWebMsg.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://cdn.hangame.c...anSetup1008.cab
O16 - DPF: {E9702169-AFE2-477A-A79D-32151006E547} (IBSiteSigning.SiteSigning) - http://www.sbs.co.kr...SiteSigning.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jedimack.net
O17 - HKLM\Software\..\Telephony: DomainName = jedimack.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{53674CB8-EDE3-4229-ABBF-68C4B4B7EF1F}: Domain = jedimack.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jedimack.net
O20 - Winlogon Notify: MSSYCLM - C:\WINDOWS\system32\uorvoica.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
  • 0

#3
palagibaboy
Posted 27 July 2005 - 03:47 PM

palagibaboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Again, not a bump but an update... I managed to hard remove the WinFixer program in SafeMode, and I tried cleaning out various exe that I knew had been created at the time that the virus apparently hit (around 2:23 AM on July 24), but naturally the problem still occurs. I'll post an updated hijack this log for now.

There seems to be something going on with my firefox browser now, too, though. I've done some limited browsing (a necessity at this time) and have noticed that, for instance, use of my Google search tool bar will almost instantaneously be hijacked and send me to MSN with search results and wipe of the immediate browser history (i.e., I can't move backwards in the browser). I'm also having various 'Aurora' network type ads populate the firefox browser interstitially after clicking a link. My guess is that I should just stop all web activity all-together.

I really can't, though. I need to do some research online..

Anyways, here's my latest hijack this report. Hopefully my problem will hit the queue front soon. Thanks.


.........................

Logfile of HijackThis v1.99.1
Scan saved at 2:39:22 PM, on 7/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\WINDOWS\sodznfpntu.exe
C:\WINDOWS\sodznfpntu.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Riverstone\Desktop\hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe,C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O15 - Trusted Zone: *.comcast.com
O15 - Trusted Zone: *.comcast.net
O15 - Trusted Zone: *.eventvibe.com
O15 - Trusted Zone: *.ford.com
O15 - Trusted Zone: *.imbc.com
O15 - Trusted Zone: http://*.sbs.co.kr
O16 - DPF: {00B44666-FFBD-4ADA-8169-CEA9A8B6B479} - http://filebox.empas...asMp3Player.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://chbib.chb.co....CSK_4.0.3.5.cab
O16 - DPF: {474AD63A-9B7E-40FE-8E4E-7067CC0F8D3D} (IB_OnAir.IBOnAir) - http://ionair.sbs.co...ir/IB_OnAir.CAB
O16 - DPF: {5C899971-E9D6-4496-8077-98378408E340} (MPControl Control) - http://mplay.sbs.co....SiMPControl.cab
O16 - DPF: {60F039CE-9490-4361-A769-5419FD166359} (egnInstallXCtrl2 Control) - http://empasweb.neff...stallXCtrl2.cab
O16 - DPF: {69E45937-0CB5-4FF9-8BB4-32B002FAD22D} - http://www.sazoounse.com/sazoounse.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} - http://download.soft.../xw_install.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B8592EE3-3790-41B6-A7C6-C722FCFFFD14} (EmpasWinXPSP2 Class) - http://empasweb.neff...empashelper.cab
O16 - DPF: {B9DD5FFF-776D-4E53-93D3-A4463E63AD86} (CN°OAOA¢¼OCA·I±×·¥) - http://cdn.hangame.c...g/HanWebMsg.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://cdn.hangame.c...anSetup1008.cab
O16 - DPF: {E9702169-AFE2-477A-A79D-32151006E547} (IBSiteSigning.SiteSigning) - http://www.sbs.co.kr...SiteSigning.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jedimack.net
O17 - HKLM\Software\..\Telephony: DomainName = jedimack.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{53674CB8-EDE3-4229-ABBF-68C4B4B7EF1F}: Domain = jedimack.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jedimack.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jedimack.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = jedimack.net
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\mhtask.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
  • 0

#4
palagibaboy
Posted 30 July 2005 - 04:22 PM

palagibaboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Please Help. It's been 5 Days, and I am unable to do any real work on this computer. Thanks.

Here's the latest HiJackThis log file (I've had to run scans and delete other files that have been forcing installation onto my computer).


Logfile of HijackThis v1.99.1
Scan saved at 3:15:45 PM, on 7/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\wrortkq.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\sodznfpntu.exe
C:\WINDOWS\sodznfpntu.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\sodznfpntu.exe
C:\Documents and Settings\Riverstone\Desktop\hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe,C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [sviksa] c:\windows\system32\wrortkq.exe r
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O15 - Trusted Zone: *.comcast.com
O15 - Trusted Zone: *.comcast.net
O15 - Trusted Zone: *.eventvibe.com
O15 - Trusted Zone: *.ford.com
O15 - Trusted Zone: *.imbc.com
O15 - Trusted Zone: http://*.sbs.co.kr
O16 - DPF: {00B44666-FFBD-4ADA-8169-CEA9A8B6B479} - http://filebox.empas...asMp3Player.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://chbib.chb.co....CSK_4.0.3.5.cab
O16 - DPF: {474AD63A-9B7E-40FE-8E4E-7067CC0F8D3D} (IB_OnAir.IBOnAir) - http://ionair.sbs.co...ir/IB_OnAir.CAB
O16 - DPF: {5C899971-E9D6-4496-8077-98378408E340} (MPControl Control) - http://mplay.sbs.co....SiMPControl.cab
O16 - DPF: {60F039CE-9490-4361-A769-5419FD166359} (egnInstallXCtrl2 Control) - http://empasweb.neff...stallXCtrl2.cab
O16 - DPF: {69E45937-0CB5-4FF9-8BB4-32B002FAD22D} - http://www.sazoounse.com/sazoounse.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} - http://download.soft.../xw_install.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B8592EE3-3790-41B6-A7C6-C722FCFFFD14} (EmpasWinXPSP2 Class) - http://empasweb.neff...empashelper.cab
O16 - DPF: {B9DD5FFF-776D-4E53-93D3-A4463E63AD86} (CN°OAOA¢¼OCA·I±×·¥) - http://cdn.hangame.c...g/HanWebMsg.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://cdn.hangame.c...anSetup1008.cab
O16 - DPF: {E9702169-AFE2-477A-A79D-32151006E547} (IBSiteSigning.SiteSigning) - http://www.sbs.co.kr...SiteSigning.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jedimack.net
O17 - HKLM\Software\..\Telephony: DomainName = jedimack.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{53674CB8-EDE3-4229-ABBF-68C4B4B7EF1F}: Domain = jedimack.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jedimack.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jedimack.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = jedimack.net
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
  • 0

#5
Bugbatter
Posted 30 July 2005 - 06:15 PM

Bugbatter

    Malware Expert

  • Expert
  • 341 posts
  • MVP
Hi, palagibaboy,
I'm sorry that we could not get to you sooner. Thank you for being patient.

Let's fix the main infection first. Then we can take care of any remnants. Are you completely free of WinFixer?

Please print these instructions. You will be working in Safemode and will not have access to the internet during the fix.
Now for Aurora.....

Please disable Spyware Doctor until we are finished. Its Registry monitoring that prevents bad changes also may prevent us from making good changes.
(Please do not install that MS AntiSpyware until we are finished and you are clear of problems.)

Enable the "Show Hidden Folders" option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders.
Uncheck the Hide Protected Operating System Files (recommended) option.
Click Yes to confirm.
Click OK.

Please download, install, and update the free version of Ewido trojan scanner:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Exit Ewido. DO NOT scan yet.
Download CCleaner and install, but do not run it yet.

Please download this installer for the Nailfix utility.
Or from here: http://www.spywareed.../nf/nailfix.exe

DO NOT run it yet.

Reboot into Safe Mode. To do this with Windows XP, you can follow these steps from Microsoft:
  • Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you the Boot Menu appears.
  • Select an option when the Windows Advanced Options menu appears, and then press ENTER.
  • When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER.
Once in Safe Mode, please double-click on nailfix.exe. Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish". Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next, run Ewido again.
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
Then run HijackThis, click Scan, and place a checkmark by the following items:

O4 - HKLM\..\Run: [sviksa] C:\windows\system32\rwrortkq.exe\ r
**Note:
NOTE: The 04 entry may have changed names if you have rebooted since posting the log; look for an entry with a similar format, that will always in in a single letter r.

F2 - REG:system.ini: Shell=Explorer.exe,C:\WINDOWS\Nail.exe
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe

Take a look at those 016's. You can fix any of them that you did not intentionally install. They are Active-X objects that allow external code to be run on your machine. You will be asked to install them again if you visit those websites, so you have that option, should you chjange your mind later. HJT also saves backups if you need them.
Also fix this one:
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe

Close all open windows except for HijackThis and click Fix Checked. Close HJT.

Locate and delete the following Files in BOLD:
c:\windows\system32\rwrortkq.exe (or whatever the name may have changed to, as noted above).
C:\WINDOWS\system32\richedtr.dll <-- This should be gone, but it won't hurt to double-check
C:\WINDOWS\dsr.dll <-- This should be gone, but it won't hurt to double-check.
C:\WINDOWS\dinst.exe
c:\windows\SvcProc.exe

Now, run CCleaner.
  • Uncheck "Cookies" under "Internet Explorer".
  • If running Firefox: click on the "Applications" tab and uncheck "Cookies" under "Firefox".
  • Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

Are you using jedimack.net?

Did YOU set ALL of these Trusted Zones in IE? If not, we can take care of them and reset your zones in my next post.
O15 - Trusted Zone: *.comcast.com
O15 - Trusted Zone: *.comcast.net
O15 - Trusted Zone: *.eventvibe.com
O15 - Trusted Zone: *.ford.com
O15 - Trusted Zone: *.imbc.com
O15 - Trusted Zone: http://*.sbs.co.kr
**If you want to fix them now, tick them along with the others above when you are using HJT.

Edited by Bugbatter, 30 July 2005 - 09:36 PM.

  • 0

#6
palagibaboy
Posted 30 July 2005 - 07:50 PM

palagibaboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thanks Bugbatter!

I have a couple questions before I start.

1) A friend of my Ex-GF (long story, I'll spare you the details :tazz: ) actually installed the MS AntiSpyware sometime ago (before all this trouble started). Should I uninstall it? I don't actually have the CD for the software, so if I do uninstall it, it'll be gone. I don't really use it much (I've always preferred lavasoft's 'adsoft' program, and I'm probably going to purchase a full version of something else down the line), but I just wanted to get your opinion before I uninstall it for good.

2) What do I need to do to disable Spyware Doctor? I can just check it to see if there are some options to turn it off, but I figured I'd ask to see if there's anything specific you want me to do. As is, it's not set to automatically run, but I could probably uninstall it, too. I still have the installer somewhere I think (or I can always re-download it).

3) I don't know what jedimack.net actually is? It's probably related to one of the sites my ex-GF used to log into. All the ".kr" sites (Korean sites) are hers, as well. Mostly liks to gaming sites, or VOD sites (IMBC, SBS.. these are Korean TV stations that run VOD). If it makes sense to get rid of those site links, I can, though I'm not sure they pose an immediate risk.


I'll wait for your reply, then start the cleanup. Thanks again. This will be immensely helpful.
  • 0

#7
Bugbatter
Posted 30 July 2005 - 09:55 PM

Bugbatter

    Malware Expert

  • Expert
  • 341 posts
  • MVP
1. MS AntiSpyware is installed from their website, so you would not have the CD.. They just updated the version, so what you have might be the old one??
http://www.microsoft...re/default.mspx (It is a BETA version.)

2. I do not have SpywareDoctor, so I cannot look to see how to disable it. If you cannot figure it out, just leave it, and we'll hope that it does not interfere.
It shows as running here:
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

3. As long as you had not started yet, I edited my post above to remind you to fix those 015 trusted zones at the same time you did the others.
You can fix of any of the 016's (game sites, etc.) that you do not recognize.
  • 0

#8
palagibaboy
Posted 30 July 2005 - 10:40 PM

palagibaboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Well, I get an odd error with the MS Antispyware when I try to uninstall it. It says the "installer file" does not exist in the "downloaded installer" folder. Odd. Well, I'm going to try and do these fixes and see what happens. Thanks!
  • 0

#9
Bugbatter
Posted 31 July 2005 - 09:13 AM

Bugbatter

    Malware Expert

  • Expert
  • 341 posts
  • MVP
Was MSAS actually installed and running at one time? Maybe it was not installed correctly to begin with? Did you try to remove it using Add/Remove Programs? According to MS, that is how it should be removed.
  • 0

#10
palagibaboy
Posted 01 August 2005 - 03:08 AM

palagibaboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Sorry, had some real issues with my computer since I last posted. For whatever reason, I got "explorer.exe" errors that wouldn't even allow me to browse windows in regular mode. I re-started using the 'last known good setup' and, after a few debugging sessions in safemode, seem to have gotten things to work. One problem I've had is that now when I opened up in regular mode, I got a "nailfix.exe could not be found" error.

In any case, I do know that if I double click on the MSAS it runs, so it's installed. I have no idea why I can't uninstall it. It's quite annoying.

Anyways, I'm going to try and run those first fixes, and then I'll post results. Thanks again for the help and patience.
  • 0

Advertisements

#11
Bugbatter
Posted 01 August 2005 - 07:27 AM

Bugbatter

    Malware Expert

  • Expert
  • 341 posts
  • MVP
For now, make sure MSAS is totally disabled:
Open Microsoft Anti-Spyware.
1. Click on the Options menu and choose Settings.
2. In the left pane column click on "Real Time Protection".
3. Under Startup Options, uncheck "Enable (MSAS) Security Agents on startup (recommended)"
4. Under Real-time spyware threat protection, uncheck and "Enable real-time spyware threat protection" (recommended).
5. Click the Save button and close Microsoft AntiSpyware.
Finally, right-click on the MSAS icon in the system tray and select "Shutdown Microsoft Antispyware". That should keep it quite.

If you cannot run NailFix, here are some alternate sites for downloading the fix if you want to try again:
This is the .exe setup version
http://www.noidea.us...050711214630636
http://www.spywareed.../nf/nailfix.exe

Good luck!
  • 0

#12
palagibaboy
Posted 01 August 2005 - 01:09 PM

palagibaboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Well, seems that MSAS expired yesterday anyways :tazz: .. hopefully it didn't cause any problems. One thing that happened when I re-started into regular mode is that I got an error message

"xprtect.exe .. This application has failed to start because MACHDSDK.DLL was not found. Re-Installing the application may fix this problem."

I think this program is related to the build of the CPU. The opening screen on startup for this splashes some kind of "X-MACH" logo.

Anyhoo, on to my logs.

First HiJackthis. I noticed that the pesky "abc-etc.exe r" is still visible. I was unable to locate it in the system32 folder (seems all the stuff you asked me to locate had been removed), but I don't know.

............................................
Logfile of HijackThis v1.99.1
Scan saved at 11:52:48 AM, on 8/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
c:\windows\system32\qjhtnc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Riverstone\Desktop\michael\virus\hijackthis\HijackThis.exe

O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [rpyduw] c:\windows\system32\qjhtnc.exe r
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O15 - Trusted Zone: *.comcast.com
O15 - Trusted Zone: *.comcast.net
O15 - Trusted Zone: *.eventvibe.com
O15 - Trusted Zone: *.ford.com
O15 - Trusted Zone: *.imbc.com
O15 - Trusted Zone: http://*.sbs.co.kr
O16 - DPF: {00B44666-FFBD-4ADA-8169-CEA9A8B6B479} - http://filebox.empas...asMp3Player.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://chbib.chb.co....CSK_4.0.3.5.cab
O16 - DPF: {474AD63A-9B7E-40FE-8E4E-7067CC0F8D3D} (IB_OnAir.IBOnAir) - http://ionair.sbs.co...ir/IB_OnAir.CAB
O16 - DPF: {5C899971-E9D6-4496-8077-98378408E340} (MPControl Control) - http://mplay.sbs.co....SiMPControl.cab
O16 - DPF: {60F039CE-9490-4361-A769-5419FD166359} (egnInstallXCtrl2 Control) - http://empasweb.neff...stallXCtrl2.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} - http://download.soft.../xw_install.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B8592EE3-3790-41B6-A7C6-C722FCFFFD14} (EmpasWinXPSP2 Class) - http://empasweb.neff...empashelper.cab
O16 - DPF: {B9DD5FFF-776D-4E53-93D3-A4463E63AD86} (CN°OAOA¢¼OCA·I±×·¥) - http://cdn.hangame.c...g/HanWebMsg.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://cdn.hangame.c...anSetup1008.cab
O16 - DPF: {E9702169-AFE2-477A-A79D-32151006E547} (IBSiteSigning.SiteSigning) - http://www.sbs.co.kr...SiteSigning.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jedimack.net
O17 - HKLM\Software\..\Telephony: DomainName = jedimack.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{53674CB8-EDE3-4229-ABBF-68C4B4B7EF1F}: Domain = jedimack.net
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

...............


Here's my ewido scan report.. (I scanned this before going to bed last night)

................

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:49:44 AM, 8/1/2005
+ Report-Checksum: AA02B6F3

+ Scan result:

HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayUtility -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Mvu -> Spyware.Delfin : Cleaned with backup
HKU\S-1-5-21-1645522239-152049171-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKU\S-1-5-21-1645522239-152049171-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1645522239-152049171-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{28CAEFF3-0F18-4036-B504-51D73BD81ABC} -> Spyware.SearchMiracle : Cleaned with backup
HKU\S-1-5-21-1645522239-152049171-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{825CF5BD-8862-4430-B771-0C15C5CA8DEF} -> Spyware.EliteBar : Cleaned with backup
HKU\S-1-5-21-1645522239-152049171-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-1645522239-152049171-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE188402-6EE7-4022-8868-AB25173A3E14} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-1645522239-152049171-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-1645522239-152049171-1801674531-1003\Software\Mvu -> Spyware.Delfin : Cleaned with backup
[896] c:\windows\system32\objrecd.exe -> Adware.BetterInternet : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.122:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.125:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.137:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.159:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.160:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.161:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.162:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.163:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.176:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.177:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.178:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.179:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.180:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.181:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.182:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.183:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.184:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.185:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.186:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.187:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.188:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.189:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.190:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.191:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.192:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.197:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.214:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Riverstone\Cookies\riverstone@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Riverstone\Local Settings\Temp\Cookies\riverstone@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Riverstone\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe -> Spyware.Delfin : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\6F0702D0-FD8E-4A29-B502-3D6CEC\7826F2FD-7A41-49A2-9775-D3D894 -> Spyware.Delfin : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\7B8ADABC-056B-4FDA-9B9B-063677\0534521C-0F38-4477-9E8B-08EE68 -> Spyware.VirtualBouncer : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A3DB0EFF-23E9-4749-9AD7-2637D8\3C8B1949-3392-43D8-B7FF-253BC1 -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\AuroraHandler.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\dinst.exe -> TrojanDownloader.Intexp.d : Cleaned with backup
C:\WINDOWS\dsr.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\hpdbze.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\sodznfpntu.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system\UpdInst.exe -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\a0e9nv3j.exe -> Adware.Saha : Cleaned with backup
C:\WINDOWS\system32\ge7mapo6.dll -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\ioxrtmgr.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\iYsacct.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\LESCR13n.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\machdsdk.dll -> Spyware.DigitalNames : Cleaned with backup
C:\WINDOWS\system32\mhtask.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\nqtid.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\numkcert.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\NxADU.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\objrecd.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\osbccu32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\redtrsha.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\wjpencen.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\uci121er.exe -> Adware.SAHA : Cleaned with backup


::Report End

..............

Hmm... noticed that the machdkds.dll was cleaned. Should I be restoring it from backup out of ewido? I'm not 100% sure it's part of the build, but... well, I'll wait for your answer. Thanks.
  • 0

#13
palagibaboy
Posted 01 August 2005 - 01:11 PM

palagibaboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Oh.. fyi.. the aurora popups are still coming up.
  • 0

#14
palagibaboy
Posted 01 August 2005 - 05:40 PM

palagibaboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
I'm going to be out for several hours (until maybe 10 pm) but I hope to be back soon to try and dedicate time to finishing these fixes this evening. Thanks again for the help, bugbatter :tazz:
  • 0

#15
Bugbatter
Posted 01 August 2005 - 07:30 PM

Bugbatter

    Malware Expert

  • Expert
  • 341 posts
  • MVP

I think this program is related to the build of the CPU.

The version that is on there was scheduled to expire yesterday for everybody who has/had that one.
http://www.microsoft...eckversion.mspx
There is a MSAS forum here on which you can post questions specifically relating to MSAS.
http://castlecops.co...ntiSpyware.html

machdkds.dll was cleaned. Should I be restoring it from backup out of ewido?

Why would you want to do that?

We are not finished yet. It could take longer than tonight.
Spyware Doctor is running again. Please disable it until we are completely finished.

Let's fix your Ex's Trusted Zones:
Please download DelDomains > http://ralphcaddell.com/Uploads/
Or: http://www.mvps.org/.../DelDomains.inf
Download the zip file and unzip it to your desktop.
Right-click on the deldomains.inf file and select 'Install'
Make sure Internet Explorer is closed. You won't see anything happen.
Give it a minute then reboot your PC into Safemode.

Still in Safemode, launch HJT and tick these:
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)

O4 - HKLM\..\Run: [rpyduw] c:\windows\system32\qjhtnc.exe r <-- this one will be renamed because you rebooted -- Look for the "r". Make a note of the new file name so you can delete it after this.

O15 - Trusted Zone: *.comcast.com
O15 - Trusted Zone: *.comcast.net
O15 - Trusted Zone: *.eventvibe.com
O15 - Trusted Zone: *.ford.com
O15 - Trusted Zone: *.imbc.com
O15 - Trusted Zone: http://*.sbs.co.kr
O16 - DPF: {00B44666-FFBD-4ADA-8169-CEA9A8B6B479} - http://filebox.empas...asMp3Player.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://chbib.chb.co....CSK_4.0.3.5.cab
O16 - DPF: {474AD63A-9B7E-40FE-8E4E-7067CC0F8D3D} (IB_OnAir.IBOnAir) - http://ionair.sbs.co...ir/IB_OnAir.CAB
O16 - DPF: {5C899971-E9D6-4496-8077-98378408E340} (MPControl Control) - http://mplay.sbs.co....SiMPControl.cab
O16 - DPF: {60F039CE-9490-4361-A769-5419FD166359} (egnInstallXCtrl2 Control) - http://empasweb.neff...stallXCtrl2.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} - http://download.soft.../xw_install.cab
O16 - DPF: {B9DD5FFF-776D-4E53-93D3-A4463E63AD86} (CN°OAOA?¼OCA·I±×·?) - http://cdn.hangame.c...g/HanWebMsg.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://cdn.hangame.c...anSetup1008.cab
O16 - DPF: {E9702169-AFE2-477A-A79D-32151006E547} (IBSiteSigning.SiteSigning) - http://www.sbs.co.kr...SiteSigning.CAB

If you are NOT using jedimack, you can fix these:
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jedimack.net
O17 - HKLM\Software\..\Telephony: DomainName = jedimack.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{53674CB8-EDE3-4229-ABBF-68C4B4B7EF1F}: Domain = jedimack.net

Close all windows and click "Fix Checked".
Do not reboot yet.

Delete that randomly named file with the "r" at the end.
Still in Safemode see if you can find whatever it is now named (will have "r" at the end) to DELETE it from your c:\windows\system32 folder.

NOW reboot and run another HJT scan for your next post.

Check your new log. If that it "r" file is still there as an 04 entry, do not reboot until I can have a look at the log, and let you know what to do next.
Our journey is not over....
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP