Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

WinFixer/Aurora [RESOLVED]


  • This topic is locked This topic is locked

#1
ll P0S3Y ll

ll P0S3Y ll

    New Member

  • Member
  • Pip
  • 7 posts
PLEASE HELP! I've done everything I know of to get rid of this malware but can't. I was refered here by a friend and hope you can help. Thanks in advance.

Here's the Hijack:


Logfile of HijackThis v1.99.1
Scan saved at 12:53:31 AM, on 8/5/1994
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\vdmaw.exe
C:\WINDOWS\etb\pokapoka62.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\apsi\wtta.exe
C:\WINDOWS\system32\w?nword.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Anders Kjersem\PopKiller\PopKiller.exe
C:\WINDOWS\system32\wintask.exe
C:\PROGRA~1\VBouncer\VIRTUA~1.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.teamchozen.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://default-homep...k.com/start.cgi
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [0FtV3nj] vdmaw.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Anders Kjersem: PopKiller] "C:\Program Files\Anders Kjersem\PopKiller\PopKiller.exe" /tray
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Notn] C:\Program Files\apsi\wtta.exe
O4 - HKCU\..\Run: [Suutxvpv] C:\WINDOWS\system32\w?nword.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensave.../sinstaller.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresp...p/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\krdusx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

**By the way, I know the date's wrong....

Edited by ll P0S3Y ll, 04 August 2005 - 10:54 PM.

  • 0

Advertisements


#2
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Hi ll P0S3Y ll and welcome to GeeksToGo!
I'm working on your log, as soon as another staff member reviews it I'll post a reply.
Thank you for your patience.
Skate_Punk_21
  • 0

#3
ll P0S3Y ll

ll P0S3Y ll

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks man, I was getting a lil worried that I had gone unoticed. I really appreciate the help....
  • 0

#4
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
And We're Back!

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Notes
Yuck! Few uglies hiding here... lets have at her!!

Downloads
Download LQfix & save it to your desktop DO NOT RUN IT YET


Boot Into Safe Mode
Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.


View Hidden Files and Folders
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.


Potential Uninstallations
Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

SurfSideKick3
Viewpoint Manager
Virtual Bouncer
P2P Networking
Elite Toolbar



Start HijackThis Fix
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [0FtV3nj] vdmaw.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKCU\..\Run: [Notn] C:\Program Files\apsi\wtta.exe
O4 - HKCU\..\Run: [Suutxvpv] C:\WINDOWS\system32\w?nword.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\krdusx.dll

Please remember to close all other windows, including browsers then click Fix checked.


File/Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\SurfSideKick 3\
C:\WINDOWS\System32\P2P Networking\
C:\Program Files\Viewpoint\Viewpoint Manager\
ALCXMNTR.EXE <<-- search for via "Start | Search"
C:\WINDOWS\cfgmgr52.dll
AUNPS2.DLL <<-- search for via "Start | Search"
C:\WINDOWS\system32\vdmaw.exe
C:\WINDOWS\ttupt.exe
C:\WINDOWS\system32\exp.exe
C:\WINDOWS\system32\wintask.exe
C:\PROGRA~1\VBouncer\
C:\Program Files\apsi\
C:\WINDOWS\system32\w?nword.exe


Reboot your system in Normal Mode.


Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!


Download FindIt's.zip http://forums.net-in...=post&id=142443 to your desktop.

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient...


Please run a Scan at any 2 of the Following sites
Symantec/Norton
Trend Micro
BitDefender On-Line Virus Scan
Panda ActiveScan
F-Secure
Kaspersky

Make sure that you choose the "fix" or "clean" option when available
Please Take note of any files that were uncleanable and post the filenames here in your next reply

Please post a fresh HijackThis log, L2MFix Log and the FindIt results, so that we can check if your system is clean.
  • 0

#5
ll P0S3Y ll

ll P0S3Y ll

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
L2Mfix 1.03a

Running From:
C:\Documents and Settings\Owner\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry
- removing existing ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Owner\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Owner\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'
Killing PID 1516 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\dolayx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dolayx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dtstyle.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dtstyle.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fwswzrd.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fwswzrd.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hmwTVDlg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hmwTVDlg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ikput.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ikput.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ipseng.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ipseng.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\izetpp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\izetpp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kbrberos.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kbrberos.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\krdusx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\krdusx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\skorage.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\skorage.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\dolayx.dll
Successfully Deleted: C:\WINDOWS\system32\dolayx.dll
deleting: C:\WINDOWS\system32\dolayx.dll
Successfully Deleted: C:\WINDOWS\system32\dolayx.dll
deleting: C:\WINDOWS\system32\dtstyle.dll
Successfully Deleted: C:\WINDOWS\system32\dtstyle.dll
deleting: C:\WINDOWS\system32\dtstyle.dll
Successfully Deleted: C:\WINDOWS\system32\dtstyle.dll
deleting: C:\WINDOWS\system32\fwswzrd.dll
Successfully Deleted: C:\WINDOWS\system32\fwswzrd.dll
deleting: C:\WINDOWS\system32\fwswzrd.dll
Successfully Deleted: C:\WINDOWS\system32\fwswzrd.dll
deleting: C:\WINDOWS\system32\hmwTVDlg.dll
Successfully Deleted: C:\WINDOWS\system32\hmwTVDlg.dll
deleting: C:\WINDOWS\system32\hmwTVDlg.dll
Successfully Deleted: C:\WINDOWS\system32\hmwTVDlg.dll
deleting: C:\WINDOWS\system32\ikput.dll
Successfully Deleted: C:\WINDOWS\system32\ikput.dll
deleting: C:\WINDOWS\system32\ikput.dll
Successfully Deleted: C:\WINDOWS\system32\ikput.dll
deleting: C:\WINDOWS\system32\ipseng.dll
Successfully Deleted: C:\WINDOWS\system32\ipseng.dll
deleting: C:\WINDOWS\system32\ipseng.dll
Successfully Deleted: C:\WINDOWS\system32\ipseng.dll
deleting: C:\WINDOWS\system32\izetpp.dll
Successfully Deleted: C:\WINDOWS\system32\izetpp.dll
deleting: C:\WINDOWS\system32\izetpp.dll
Successfully Deleted: C:\WINDOWS\system32\izetpp.dll
deleting: C:\WINDOWS\system32\kbrberos.dll
Successfully Deleted: C:\WINDOWS\system32\kbrberos.dll
deleting: C:\WINDOWS\system32\kbrberos.dll
Successfully Deleted: C:\WINDOWS\system32\kbrberos.dll
deleting: C:\WINDOWS\system32\krdusx.dll
Successfully Deleted: C:\WINDOWS\system32\krdusx.dll
deleting: C:\WINDOWS\system32\krdusx.dll
Successfully Deleted: C:\WINDOWS\system32\krdusx.dll
deleting: C:\WINDOWS\system32\skorage.dll
Successfully Deleted: C:\WINDOWS\system32\skorage.dll
deleting: C:\WINDOWS\system32\skorage.dll
Successfully Deleted: C:\WINDOWS\system32\skorage.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: dolayx.dll (188 bytes security) (deflated 48%)
adding: dtstyle.dll (188 bytes security) (deflated 48%)
adding: fwswzrd.dll (188 bytes security) (deflated 48%)
adding: hmwTVDlg.dll (188 bytes security) (deflated 48%)
adding: ikput.dll (188 bytes security) (deflated 48%)
adding: ipseng.dll (188 bytes security) (deflated 48%)
adding: izetpp.dll (188 bytes security) (deflated 48%)
adding: kbrberos.dll (188 bytes security) (deflated 48%)
adding: krdusx.dll (188 bytes security) (deflated 48%)
adding: skorage.dll (188 bytes security) (deflated 48%)
adding: guard.tmp (188 bytes security) (deflated 48%)
adding: clear.reg (188 bytes security) (deflated 2%)
adding: echo.reg (188 bytes security) (deflated 9%)
adding: direct.txt (188 bytes security) (stored 0%)
adding: lo2.txt (188 bytes security) (deflated 87%)
adding: readme.txt (188 bytes security) (deflated 49%)
adding: test.txt (188 bytes security) (deflated 86%)
adding: test2.txt (188 bytes security) (stored 0%)
adding: test3.txt (188 bytes security) (stored 0%)
adding: test5.txt (188 bytes security) (stored 0%)
adding: xfind.txt (188 bytes security) (deflated 82%)
adding: backregs/shell.reg (188 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: dolayx.dll
deleting local copy: dolayx.dll
deleting local copy: dtstyle.dll
deleting local copy: dtstyle.dll
deleting local copy: fwswzrd.dll
deleting local copy: fwswzrd.dll
deleting local copy: hmwTVDlg.dll
deleting local copy: hmwTVDlg.dll
deleting local copy: ikput.dll
deleting local copy: ikput.dll
deleting local copy: ipseng.dll
deleting local copy: ipseng.dll
deleting local copy: izetpp.dll
deleting local copy: izetpp.dll
deleting local copy: kbrberos.dll
deleting local copy: kbrberos.dll
deleting local copy: krdusx.dll
deleting local copy: krdusx.dll
deleting local copy: skorage.dll
deleting local copy: skorage.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\dolayx.dll
C:\WINDOWS\system32\dolayx.dll
C:\WINDOWS\system32\dtstyle.dll
C:\WINDOWS\system32\dtstyle.dll
C:\WINDOWS\system32\fwswzrd.dll
C:\WINDOWS\system32\fwswzrd.dll
C:\WINDOWS\system32\hmwTVDlg.dll
C:\WINDOWS\system32\hmwTVDlg.dll
C:\WINDOWS\system32\ikput.dll
C:\WINDOWS\system32\ikput.dll
C:\WINDOWS\system32\ipseng.dll
C:\WINDOWS\system32\ipseng.dll
C:\WINDOWS\system32\izetpp.dll
C:\WINDOWS\system32\izetpp.dll
C:\WINDOWS\system32\kbrberos.dll
C:\WINDOWS\system32\kbrberos.dll
C:\WINDOWS\system32\krdusx.dll
C:\WINDOWS\system32\krdusx.dll
C:\WINDOWS\system32\skorage.dll
C:\WINDOWS\system32\skorage.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


FindIt's

Microsoft Windows XP [Version 5.1.2600]
The current date is: Sun 08/07/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\RU.EXE

»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\PXWMA.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C is PRESARIO
Volume Serial Number is A8C2-DC6F

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C is PRESARIO
Volume Serial Number is A8C2-DC6F

Directory of C:\WINDOWS\system32

08/05/1994 12:26 AM 1,406 AddQuit.ico
08/05/1994 12:26 AM 9,470 Desktop.ico
08/05/1994 12:26 AM 1,406 Help.ico
08/05/1994 12:26 AM 5,350 IE.ico
01/06/2005 02:15 PM 1,406 oi-uninstaller.ico
08/05/1994 12:26 AM 1,718 Open.ico
08/05/1994 12:26 AM 1,718 Quick.ico
08/05/1994 12:26 AM 2,550 Uninstall.ico
8 File(s) 25,024 bytes
0 Dir(s) 15,934,550,016 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».

Hijack

Logfile of HijackThis v1.99.1
Scan saved at 9:43:45 PM, on 8/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Anders Kjersem\PopKiller\PopKiller.exe
C:\Program Files\Ares\Ares.exe
C:\WINDOWS\system32\w?nword.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\apsi\wtta.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.teamchozen.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://default-homep...k.com/start.cgi
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
O2 - BHO: (no name) - {420249F6-F013-FFC2-63C3-820CF881F093} - C:\WINDOWS\system32\cpk.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Anders Kjersem: PopKiller] "C:\Program Files\Anders Kjersem\PopKiller\PopKiller.exe" /tray
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Suutxvpv] C:\WINDOWS\system32\w?nword.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensave.../sinstaller.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresp...p/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe



Thanks for the help, let me know what I need to do next....

Edited by ll P0S3Y ll, 07 August 2005 - 07:43 PM.

  • 0

#6
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
And We're Back!

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.


Downloads
Download Killbox

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot) Click Yes at the 'Pending Operations prompt'. if you see it:

C:\WINDOWS\system32\w?nword.exe
C:\WINDOWS\system32\cpk.dll
C:\WINDOWS\RU.EXE
C:\WINDOWS\PXWMA.DLL
C:\WINDOWS\system32\AddQuit.ico
C:\WINDOWS\system32\Desktop.ico
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\IE.ico
C:\WINDOWS\system32\oi-uninstaller.ico
C:\WINDOWS\system32\Open.ico
C:\WINDOWS\system32\Quick.ico
C:\WINDOWS\system32\Uninstall.ico

* If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to restart Windows manually .

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.


Boot Into Safe Mode
Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.


View Hidden Files and Folders
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.



Start HijackThis Fix
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
O2 - BHO: (no name) - {420249F6-F013-FFC2-63C3-820CF881F093} - C:\WINDOWS\system32\cpk.dll
O4 - HKCU\..\Run: [Suutxvpv] C:\WINDOWS\system32\w?nword.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Please remember to close all other windows, including browsers then click Fix checked.


File/Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\SurfSideKick 3\
C:\Program Files\apsi\

Reboot your system in Normal Mode.


Further Scanning
Please run a Scan at the Following site
Panda ActiveScan

Make sure that you choose the "fix" or "clean" option when available
at the end of this scan you will be given then option to save a log from the scan -SAVE THAT LOG- and post it here

Please post a fresh HijackThis log & the Log from Panda so that we can check if your system is clean.
  • 0

#7
ll P0S3Y ll

ll P0S3Y ll

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Panda

Incident Status Location

Adware:Adware/PurityScan No disinfected C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\5M7G23QN\!update-2234[1].0000
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\5M7G23QN\!update-2244[1].0000
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8PQ78PI3\!update-2214[1].0000
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WP2RCTIN\!update-2204[1].0000
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WP2RCTIN\!update-2224[1].0000
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WP2RCTIN\!update-2274[1].0000
Spyware:spyware/surfsidekick No disinfected C:\Documents and Settings\Owner\Application Data\Sskcwrd.dll
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip[dolayx.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip[dtstyle.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip[fwswzrd.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip[hmwTVDlg.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip[ikput.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip[ipseng.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip[izetpp.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip[kbrberos.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip[krdusx.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip[skorage.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip[guard.tmp]
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix.exe[Process.exe]
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Owner\Local Settings\Temp\!update.exe
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Owner\Local Settings\Temp\i12BC.tmp
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr48F3
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Owner\Local Settings\Temp\temp.frEA91\setup.inf
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\4PQJS5MN\AutoUpdaterInstaller[1].exe
Spyware:Spyware/YourSiteBar No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\4PQJS5MN\CA416JYV.HTM
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\I12L4NOP\rosexactpop[1].html
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\M5GZEX65\!update-2295[1].0000
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OLKZKVC7\auto_update[1].txt
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\TEPE2E6B\CAKTERG5.HTM
Adware:Adware/Funcade No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UWMN68HN\installer_VENDARE4[1].cab[installer_VENDARE4.exe]
Adware:Adware/nCase No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XBBV1LKA\init[1].js
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/PurityScan No disinfected C:\Program Files\apsi\wtta.exe
Adware:Adware/PurityScan No disinfected C:\RECYCLER\S-1-5-21-2921442898-3614346467-1668361493-500\Dc1\wtta.exe
Adware:Adware/BookedSpace No disinfected C:\RECYCLER\S-1-5-21-2921442898-3614346467-1668361493-500\Dc5.dll
Adware:Adware/PurityScan No disinfected C:\RECYCLER\S-1-5-21-2921442898-3614346467-1668361493-500\Dc9\wtta.exe
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Adware:adware/look2me No disinfected C:\WINDOWS\Downloaded Program Files\ActiveX.ocx
Adware:adware/sahagent No disinfected C:\WINDOWS\Downloaded Program Files\lsp_.dll
Adware:Adware/EliteBar No disinfected C:\WINDOWS\etb\pokapoka62.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\casino.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\dating.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\drugs.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\fav.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\virus.bmp
Adware:adware/ncase No disinfected C:\WINDOWS\msbb.exe.temp
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall5_64.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_38.exe
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\rhwfucpb.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system\UpdInst.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\fsvjdoze.dll
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\GmtlA.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\Shex.exe
Adware:adware/browseraid No disinfected C:\WINDOWS\system32\stlbdist.DLL
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\xmltok.dll
Adware:Adware/PurityScan No disinfected C:\WINDOWS\Temp\!update.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\Temp\auf0.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\Temp\AutoUpdate0\setup.inf
Adware:Adware/ConsumerAlertSystemNo disinfected C:\WINDOWS\Temp\cassetup.exe
Spyware:Spyware/SurfSideKick No disinfected C:\WINDOWS\Temp\i143.tmp
Adware:Adware/WinAD No disinfected C:\WINDOWS\Temp\MediaAccessInstPack.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\Temp\res3AC.tmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\8D6TEPKX\webservice[4].htm
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\8D6TEPKX\webservice[5].htm
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\92X9KX36\dating[1].bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\92X9KX36\drugs[1].bmp
Adware:Adware/EliteBar No disinfected C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\92X9KX36\kw[1].exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\IXQ60OTN\casino[1].bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\KVEPM9M7\webservice[3].htm
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\KVEPM9M7\webservice[4].htm
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\KVEPM9M7\webservice[5].htm
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\KVEPM9M7\webservice[6].htm
Adware:Adware/Apropos No disinfected C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\NA5VUEMI\AproposClientInstaller[1].exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\NA5VUEMI\fav[1].bmp
Adware:Adware/Apropos No disinfected C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\PHYU76AE\auto_update[1].txt
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\PHYU76AE\virus[1].bmp
Adware:Adware/ConsumerAlertSystemNo disinfected C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\SY9VIFLI\cassetup[1].exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\SY9VIFLI\webservice[4].htm
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\SY9VIFLI\webservice[5].htm
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\Temp\wrapperouter.exe
Adware:Adware/Imibar No disinfected C:\WINDOWS\ttext.dll
Hijack
Logfile of HijackThis v1.99.1
Scan saved at 12:34:21 AM, on 8/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Anders Kjersem\PopKiller\PopKiller.exe
C:\WINDOWS\system32\w?nword.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\apsi\wtta.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.teamchozen.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://default-homep...k.com/start.cgi
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Anders Kjersem: PopKiller] "C:\Program Files\Anders Kjersem\PopKiller\PopKiller.exe" /tray
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Notn] C:\Program Files\apsi\wtta.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensave.../sinstaller.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresp...p/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
  • 0

#8
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
And We're Back!

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Downloads
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! and install it. DO NOT RUN IT YET

Download, install, and update Ewido Security Suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
After the updates are installed, EXIT


Run CleanUp! Set the program up as follows:
  • Click "Options..."
  • Move the arrow down to "Custom CleanUp!"
  • Put a check next to the following:

  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.


Boot Directly Into Safe Mode
Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.


Start HijackThis Fix
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

O4 - HKCU\..\Run: [Notn] C:\Program Files\apsi\wtta.exe

Please remember to close all other windows, including browsers then click Fix checked.

Run Downloaded Programs
Run Ewido Security Suite . Set the program up as follows:
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
  • Binder
  • Crypter
  • Archives
  • Click on Start Scan
  • Let the program scan the machine
    While the scan is in progress you will be prompted to clean the first file. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the window (this way you don't have to sit and watch ewido) click OK
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop.
Reboot your system in Normal Mode.


Please post a fresh HijackThis log and the log from Ewido so that we can check if your system is clean.
  • 0

#9
ll P0S3Y ll

ll P0S3Y ll

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
EWIDO

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:44:31 AM, 8/11/2005
+ Report-Checksum: 482C670F

+ Scan result:

C:\WINDOWS\bsx32 -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ADBN1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ADVC3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\BingoRoom1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\CASH2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\DEBT1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\FindRomance1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\INK1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\KanFinance1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\MORT1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\RAM1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\SLC1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\SPZ3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMP1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\UTN1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\XTFL2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ActiveX.ocx -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\etb\nt_hide62.dll -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\etb\pokapoka62.exe -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\etb\xud_62.dll -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\NDNuninstall5_64.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\rhwfucpb.exe -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\system\UpdInst.exe -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\wіnword.exe -> Spyware.PurityScan : Cleaned with backup


::Report End

Hijack

Logfile of HijackThis v1.99.1
Scan saved at 8:44:53 AM, on 8/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.teamchozen.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://default-homep...k.com/start.cgi
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Anders Kjersem: PopKiller] "C:\Program Files\Anders Kjersem\PopKiller\PopKiller.exe" /tray
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensave.../sinstaller.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresp...p/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe



Thanks for your help, I really appreciate it....
  • 0

#10
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
One last Item....

Start HijackThis Fix
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://default-homep...k.com/start.cgi

Please remember to close all other windows, including browsers then click Fix checked.
________________________

And now...........

Congratulations Your Log is Clean!!:grin:


System Restore

Turn off System Restore by Clicking Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK.

Reboot your System.

Turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.


Preventative Measures

This is a good time to set up protection against further attacks. Read How Did I Get Infected In The First Place?.

Also Consider...
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:How is she running now? Any further problems? If not, Good work, and Happy Computing!

Please reply once more so we know you have read these measures
  • 0

#11
ll P0S3Y ll

ll P0S3Y ll

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thank you so much for your help. I can't tell you how greatful I am. Now I just need some help with my mom's computer. I posted another thread under this same username. Thanks again....
  • 0

#12
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP